MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 00:10:22

@MobilXperts Admin has joined the channel

Jonathan Henson (jon@1fixpc.com)
2016-07-22 00:10:22

@Jonathan Henson has joined the channel

jaimin.s (jaimins@gmail.com)
2016-07-22 01:36:55

@jaimin.s has joined the channel

thomrburg (thomrburg@me.com)
2016-07-28 00:18:23

@thomrburg has joined the channel

onires53 (jason.r.serino@gmail.com)
2016-08-05 00:58:41

@onires53 has joined the channel

dustinclark (dustinclark916@gmail.com)
2016-09-09 20:36:44

@dustinclark has joined the channel

onires53 (jason.r.serino@gmail.com)
2016-09-13 00:43:15

Anyone dealing with the iOS 10 and MobileIron Tunnel VPN issues? "Known Issue: Inconsistent Per App VPN behavior in iOS 10 when using MobileIron Tunnel"

Jonathan Henson (jon@1fixpc.com)
2016-09-13 20:02:54

Anyone getting reports of iOS10 OTA update failing requiring iTunes restore?

Jonathan Henson (jon@1fixpc.com)
2016-09-13 20:02:58

https://www.reddit.com/r/apple/comments/52lp8o/ios10_installation_failing/

reddit
onires53 (jason.r.serino@gmail.com)
2016-09-13 20:04:03

There are reports of device bricking with the iOS 10 update.

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-09-13 20:37:20

I’m curious to hear what it stems from. I’ve gone through several public beta updates to the GM and it’s been seamless

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-09-13 20:49:05

http://www.macrumors.com/2016/09/13/apple-ios-10-update-issue-fixed/

macrumors.com
MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-09-28 19:59:59

Anyone come across this little glitch? Seeing something familiar to it, but I think it has more to do with our internal network ACLs than iOS - Waiting for Apple to hopefully do a verbose trace and determine what URLs are failing to connect for the device

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-09-28 20:00:07
MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-09-28 20:00:42
jaimin.s (jaimins@gmail.com)
2016-10-05 04:50:02

Hmnn

jaimin.s (jaimins@gmail.com)
2016-10-05 04:50:18

Are you going through a proxy ?

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-10-05 13:16:15

Palo Alto. Just finished running a packet capture yesterday from a failing device. I think it's going to come down to 2 things. 1) Cached Internal Apple DNS records 2) Palo Alto denies to certain URLs

runderwood (runderwood71@gmail.com)
2016-10-06 19:39:54

@runderwood has joined the channel

MobilXperts Admin (mobilxpertsslack@gmail.com)
2017-08-25 13:24:04

@macbentosh I’m back today, if you still need an assist w/ that provisioning profile update

macbentosh (benbergthold@gmail.com)
2017-08-25 13:24:08

@macbentosh has joined the channel

Woody (eric.woodland@trust.tc)
2017-09-11 22:26:12

@Woody has joined the channel

Jonathan Henson (jon@1fixpc.com)
2017-09-13 15:15:24

Wow. Thanks for the heads up @Woody.

Woody (eric.woodland@trust.tc)
2017-09-13 15:17:28

Just happened to see it in my Twitter feed. Welcome!

Simon Hardy-Bistagne (simon@smnhdy.com)
2017-09-13 19:34:50

@Simon Hardy-Bistagne has joined the channel

onires53 (jason.r.serino@gmail.com)
2017-09-13 21:41:50

So how is MobileIron looking to leverage the facial recognition on the iPhone X? I pretty sure every EG member will be asking for the device and having to fall back to using lock screen pins and AppConnect codes instead of relying on fingerprint will be a problem.

Woody (eric.woodland@trust.tc)
2017-09-13 21:52:09

Cant’ say anything officially, but here’s a start: http://i.coschedule.com/c00a3

i.coschedule.com
Darryl Miles (darryl_miles@au1.ibm.com)
2017-09-18 21:46:32

*Thread Reply:* I'm advised integration/APIs are linked to TouchID at the moment. ie. if you disable TouchID, then FaceID is disabled too

Woody (eric.woodland@trust.tc)
2017-09-13 21:52:43

I’d imagine it’ll go just like TouchID did. On or Off. If off, revert to PIN/Passcode unlock

onires53 (jason.r.serino@gmail.com)
2017-09-13 21:55:37

@Woody wink-wink. We'll definitely pay attention.

👍 Woody
Woody (eric.woodland@trust.tc)
2017-09-13 22:02:58

Right on! Of course, no guarantees there will be any mention but it’s a good spot to voice the question!

Martin Cygan (martin@mobileiron.com)
2017-09-14 00:47:07

@Martin Cygan has joined the channel

aaron (aaron@groundctl.com)
2017-09-14 01:26:40

@aaron has joined the channel

aaron (aaron@groundctl.com)
2017-09-14 01:27:25

Thanks for the repost @Woody

👍 Woody
Woody (eric.woodland@trust.tc)
2017-09-14 01:34:20

You’re most welcome, @aaron! Good find.

} Aaron Freimark (https://mobilxperts.slack.com/team/U725WQRRN)
aaron (aaron@groundctl.com)
2017-09-14 13:40:18

Curious about iOS 11 and the new Provisional DEP in Configurator 2.5? We’ve been doing research on this, and published on Enterprise iOS. Bottom line: it works, for small batches. http://eios.us/2eY6E83

👍 Woody
onires53 (jason.r.serino@gmail.com)
2017-09-15 03:38:02

Hey Aaron. We saw this too but haven't played with it yet. Still waiting for configurator to be released out of beta. Cool feature though.

julien (julien@appaloosa-store.com)
2017-09-15 09:58:25

@julien has joined the channel

Jeremy (jeremy@bodokh.com)
2017-09-15 12:01:34

@Jeremy has joined the channel

Darryl Miles (darryl_miles@au1.ibm.com)
2017-09-18 21:44:48

@Darryl Miles has joined the channel

Darryl Miles (darryl_miles@au1.ibm.com)
2017-09-18 21:45:24

Hi all. FYI - http://www.brianmadden.com/podcast/Deep-dive-on-iOS-11-in-the-enterprise-BrianMaddencom-Podcast-131

brianmadden.com
👍 julien, Woody
aaron (aaron@groundctl.com)
2017-09-18 21:47:19

Out of beta! (tomorrow)

👍 Woody
Woody (eric.woodland@trust.tc)
2017-09-20 14:44:47

Did everyone remember to update their DEP agreements?

onires53 (jason.r.serino@gmail.com)
2017-09-22 19:21:00

Just got our first batch of iPhone 8's and 8+'s. They show up as iPhone 10,4 in Core. I remember reading something on the support site about this. Any idea when this will be remedied?

aaron (aaron@groundctl.com)
2017-09-22 19:30:29

iPhone10,4 is Apple’s identifier for these. Any resemblance to an iOS version is coincidental. See more here: http://www.enterpriseios.com/wiki/iOS_Devices

Woody (eric.woodland@trust.tc)
2017-09-25 13:34:56

@onires53 do you have Core enabled (inside MICS) to install the functions/features

onires53 (jason.r.serino@gmail.com)
2017-09-25 17:22:01

Yes we do. @Woody

Woody (eric.woodland@trust.tc)
2017-09-25 17:24:10

We can check to see when the most recent update went out (and what platform support it included). My guess is that the identifier for the 8/X will be included in the next round, since they’ve been formally introduced.

egantner (egantner@mobileiron.com)
2017-09-28 17:34:58

@egantner has joined the channel

Woody (eric.woodland@trust.tc)
2017-10-02 16:35:35

@onires53 - DPU Pack for iPhone 8, iPhone 8 Plus and Apple TV 4K just went out for Core

onires53 (jason.r.serino@gmail.com)
2017-10-02 22:18:42

@Woody I saw the MI notice this morning and sure enough it is showing up properly our Core. Thanks!

👌 Woody
Woody (eric.woodland@trust.tc)
2017-10-02 22:27:10

Good deal @onires53! I had been tracking it internally but didn’t want to say anything until it had been formally released

Woody (eric.woodland@trust.tc)
2017-10-11 17:09:49

Anyone tried pushing an update to an in-house iOS app via cellular recently?

Woody (eric.woodland@trust.tc)
2017-10-11 17:10:02

*Thread Reply:* e.g app v1.0 is installed, v1.1 is added to MDM and update command pushed.

Woody (eric.woodland@trust.tc)
2017-10-11 17:10:50

*Thread Reply:* Does the ‘Use Cellular Data’ need to be enabled for v1.1 to be downloaded/installed? ~10MB update in this case.

David Larrea (david@larreaonline.com)
2017-10-12 19:12:16

@David Larrea has joined the channel

Woody (eric.woodland@trust.tc)
2017-10-12 19:39:37

@here anyone know if there’s an MDM command that will allow the Text Size to be changed for supervised devices?

Woody (eric.woodland@trust.tc)
2017-10-12 19:42:24

I’m hearing a request for this, for fleet devices assigned to senior employees

Woody (eric.woodland@trust.tc)
2017-10-12 19:42:56
HackediOS (info@hackedios.com)
2017-10-12 20:19:58

@HackediOS has joined the channel

aaron (aaron@groundctl.com)
2017-10-12 21:18:30

@Woody GroundControl can do this.

👍 Woody
Woody (eric.woodland@trust.tc)
2017-10-12 21:26:51

*Thread Reply:* Nice! Could it be changed once the device is in the field? I’m not certain it would need to per se, but the client expressed interest in being able to tweak based on who was using the device.

aaron (aaron@groundctl.com)
2017-10-14 08:39:20

*Thread Reply:* Yes-ish. You’d need to re-image the device. (Which is easy with GC.)

Woody (eric.woodland@trust.tc)
2017-10-15 02:47:42

*Thread Reply:* @aaron booya! Thank you sir.

jafullersr (jafuller@starbucks.com)
2017-10-12 21:49:09

@jafullersr has joined the channel

Martin Cygan (martin@mobileiron.com)
2017-10-13 18:54:04
jafullersr (jafuller@starbucks.com)
2017-10-13 18:55:45

@Martin Cygan how many devices are you monitoring? Why is there still a steady number of “older”?

Martin Cygan (martin@mobileiron.com)
2017-10-13 18:57:20

THIS REPORT WAS GENERATED FROM 411,472,653,188 RECORDS

👍 jafullersr
Martin Cygan (martin@mobileiron.com)
2017-10-13 18:57:31

https://mixpanel.com/trends/#report/ios_11/from_date:-41,report_unit:day,to_date:0

mixpanel.com
Volker Weber (vowe@vowe.net)
2017-10-13 19:06:54

@Volker Weber has joined the channel

Danijel Stanic (danijel@stanic.org)
2017-10-13 19:39:53

@Danijel Stanic has joined the channel

Jason Bayton (jason@bayton.org)
2017-10-13 20:50:57

@Jason Bayton has joined the channel

Manju (mbhat123@gmail.com)
2017-10-14 18:00:17

@Manju has joined the channel

NicolasR (raison_nicolas@me.com)
2017-10-14 23:44:38

@NicolasR has joined the channel

Angela (angi.szabo@gmail.com)
2017-10-15 09:22:22

@Angela has joined the channel

Jason (jasonh@bridgeway.co.uk)
2017-10-15 11:23:26

@Jason has joined the channel

Fabian (mobilxperts@neokortex.de)
2017-10-15 14:29:10

@Fabian has joined the channel

Woody (eric.woodland@trust.tc)
2017-10-15 16:36:39

Fairly certain my assumption (no) is still correct, but... is it possible to push a provisioning/configuration profile that automatically allows location services and notifications on a DEP device?

Jeremy (jeremy@bodokh.com)
2017-10-15 16:55:35

for any apps ?

Jeremy (jeremy@bodokh.com)
2017-10-15 16:56:37

I think you are still correct, have not seen any changes recently (iOS 10 or 11) regarding this

Woody (eric.woodland@trust.tc)
2017-10-15 16:59:45

Yeah @Jeremy, an in-house app coming down to a DEP device. Customer’s staff keep forgetting to accept upon installation

thomrburg (thomrburg@me.com)
2017-10-15 17:57:21

@Woody Location Services, no. Notifications, yes, using the Managed Notifications Payload. See here: https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW604

developer.apple.com
✅ Woody, Jeremy
jj (jj@autolean.com)
2017-10-15 18:18:29

@jj has joined the channel

RobE (robert.kreuzer@outlook.com)
2017-10-15 18:36:58

@RobE has joined the channel

jake (jake.woodhams@gmail.com)
2017-10-16 02:36:30

@jake has joined the channel

Ole Schulenburg (ole.schulenburg@lineas.de)
2017-10-16 09:54:18

@Ole Schulenburg has joined the channel

Dominik (domi0815@gmail.com)
2017-10-16 15:55:16

@Dominik has joined the channel

Amine (amine.ayad@gmail.com)
2017-10-16 19:49:02

@Amine has joined the channel

Woody (eric.woodland@trust.tc)
2017-10-17 00:55:34

@here Anyone noticed an issue (all the way up through iOS 11.0.3) when you: 1) Enroll in MDM 2) Exchange config pushes 3) Set a mobile Exchange signature in Settings 4) Retire 5) Re-enroll 6) Exchange config pushes and an old signature (pre-dating the one set in step 3) populates?

aaron (aaron@groundctl.com)
2017-10-17 00:58:47

Not surprising. Signatures are stored in prefs independent from accounts.

aaron (aaron@groundctl.com)
2017-10-17 00:58:55

Which email client is this?

Woody (eric.woodland@trust.tc)
2017-10-17 00:58:59

I've noticed this across devices and different EMMs, so there's definitely something stuck.

Woody (eric.woodland@trust.tc)
2017-10-17 00:59:03

Native iOS Mail

aaron (aaron@groundctl.com)
2017-10-17 01:00:35

“Enterprise wipe” != wipe.

Woody (eric.woodland@trust.tc)
2017-10-17 01:01:37

Yeah, I wish the MDM Profile had more control over elements (such as the signatures) that technically fall under its scope

Joe Dickey (joe@groundctl.com)
2017-10-17 05:01:04

@Joe Dickey has joined the channel

Fabian (mobilxperts@neokortex.de)
2017-10-17 08:14:05

More control would definetly be awesome. Keeping the signature when mail address and server do not change sounds like a good design, as it removes the need for the user to reconfigure everything if the company has to repush the mail profile, foe qhatever reason.

👍 Russell Mohr
Woody (eric.woodland@trust.tc)
2017-10-17 12:24:20

@Fabian I’ve long thought that predefined signature and ability to enable Mail/Contacts/Calendars/Notes should be controlled by the Exchange config. Perhaps we’ll see it in iOS 11.3?

Robert R. (rr10@gmx.de)
2017-10-17 20:11:19

@Robert R. has joined the channel

Marc0R (marco.risati@youco.eu)
2017-10-18 11:04:56

@Marc0R has joined the channel

Miklos Kerekfy (miklos@kerekfy.hu)
2017-10-18 16:40:59

@Miklos Kerekfy has joined the channel

Russell Mohr (rmohr@mobileiron.com)
2017-10-18 17:12:47

@Russell Mohr has joined the channel

Mark Vonk (mark.vonk@dahvo.com)
2017-10-18 19:20:16

@Mark Vonk has joined the channel

Daniel Eiler (mail@danieleiler.net)
2017-10-19 20:18:06

@Daniel Eiler has joined the channel

PD (patrick.dernehl@t-systems.com)
2017-10-20 08:27:19

@PD has joined the channel

Philipp Steder (philipp.steder@ebf.de)
2017-10-20 12:23:08

@Philipp Steder has joined the channel

Barrie Codona (barrie.codona@hotmail.com)
2017-10-20 16:23:40

@Barrie Codona has joined the channel

SebastienP (spernot@gmail.com)
2017-10-25 21:06:52

@SebastienP has joined the channel

Ole Schulenburg (ole.schulenburg@lineas.de)
2017-11-03 09:07:49

quick question. i am supposed to migrate a VIP to a new iPhone. However the backup was once encrypted and has a apssword on it, that noone knows.

Ole Schulenburg (ole.schulenburg@lineas.de)
2017-11-03 09:07:53

any ideas?

Jeremy (jeremy@bodokh.com)
2017-11-03 09:27:59

iCloud Backup ?

Jeremy (jeremy@bodokh.com)
2017-11-03 09:28:22

or you can delete the existing backup and start again without password

aaron (aaron@groundctl.com)
2017-11-03 11:52:48

@Ole Schulenburg https://support.apple.com/en-us/HT205220 “If you can’t remember the password for your encrypted backup”

Apple Support
👍 Ole Schulenburg
Jason (jasonh@bridgeway.co.uk)
2017-11-03 11:55:41

There is a school of thought that if a user cannot remember their passwords, perhaps they shouldn’t be let loose with a device… 😉

👍 Woody
Ole Schulenburg (ole.schulenburg@lineas.de)
2017-11-03 14:10:22

thanks @aaron

HackediOS (info@hackedios.com)
2017-11-04 18:10:16

@Ole Schulenburg there is a very well known bug that an encrypted backup doesn’t recognize your correct password. I fell victim to this on my current iPhone 7+ and I know it’s the correct encrypted backup password because it’s the only one I have ever used. The only way to get access to it from a normal approach, meaning no software assisted attempts, is to try every password known to that person in hopes it will work. There are a few lengthy lengthy threads in Apple forums about this and results vary widely in what works. I suggest just manually setting up the new iPhone as painful as that is so that there’s a clean slate to start with, unless you have time and some luck.

Ole Schulenburg (ole.schulenburg@lineas.de)
2017-11-04 18:38:48

@HackediOS see @aaron s respond. since iOS 11 you can reset the password. 🙂

HackediOS (info@hackedios.com)
2017-11-04 18:43:48

@Ole Schulenburg yes, you can reset the password, but the encrypted backup is unusable, hence why I said what I said if you are trying to still use that encrypted backup. What I should have clarified is pre-iOS 11 because not everyone updates to the newest firmware or wants to.

Luc (luc.rames@digitaldimension.fr)
2017-11-07 09:25:58

@Luc has joined the channel

NicolasR (raison_nicolas@me.com)
2017-11-08 10:01:41

Hi guys! Is there a known issue with iOS 11.1 and WiFi certificates trust? I’m having a user who reports untrusted radius prompts

Jason (jasonh@bridgeway.co.uk)
2017-11-08 10:05:37

Only for the first connection to that WiFi - I think this has been an iOS 10 limitation as well, IIRC.

Jason (jasonh@bridgeway.co.uk)
2017-11-08 10:06:29

Drat, forgot to put it into a thread. I expect to be flamed any moment now…

🔥 Jason, Jason Bayton, Woody
Jason Bayton (jason@bayton.org)
2017-11-08 10:09:18

It's fine @Jason, @Woody still appears to be sleeping

👀 Jason Bayton
😆 Jason, Woody
NicolasR (raison_nicolas@me.com)
2017-11-08 10:25:12

It used to work with iOS 11.0 and 10.3

NicolasR (raison_nicolas@me.com)
2017-11-08 10:25:35

I’m just trying to figure out if the issue is that the customer has changed something on their end

Fabian (mobilxperts@neokortex.de)
2017-11-09 06:19:10

*Thread Reply:* According to the MI Community iOS11 Doc there is a known issue suiting your description

Jason (jasonh@bridgeway.co.uk)
2017-11-08 12:02:53

Cert expiry?

Woody (eric.woodland@trust.tc)
2017-11-08 12:46:56

LoL @Jason Bayton @Jason

Woody (eric.woodland@trust.tc)
2017-11-08 12:49:11

They really need a prompt when you send something that ends with a “?” - Would you like to thread this?

Jason (jasonh@bridgeway.co.uk)
2017-11-08 12:50:27

*Thread Reply:* No, I wouldn’t. 😉

😆 Woody
Woody (eric.woodland@trust.tc)
2017-11-16 18:18:41

Interesting. It appears Apple moved the Server Caching service from the Server app back into the general OS with High Sierra.

🤔 Jonathan Henson
aaron (aaron@groundctl.com)
2017-11-17 14:50:15

*Thread Reply:* @Woody it works REALLY well now, and no longer requires Ethernet. Plus you get tethered networking to usb-connected iOS devices.

👍 Woody
Woody (eric.woodland@trust.tc)
2017-11-17 14:55:41

*Thread Reply:* Did Caching require ethernet before 5.4? Yeah, I like how essentially any MacOS machine can now be a caching server on your network.

Jonathan Henson (jon@1fixpc.com)
2017-11-16 20:37:52

Any idea if there is a restriction available to MDM to gray out the iOS 11 "Apps & Websites Passwords" section under Settings > Acounts & Passwords?

Woody (eric.woodland@trust.tc)
2017-11-16 20:54:59

*Thread Reply:* @Jonathan Henson Are you attempting to prevent the user from storing U/P credentials for company sites/services?

Woody (eric.woodland@trust.tc)
2017-11-16 20:56:53

*Thread Reply:* Managed Domains may be your best bet.

Woody (eric.woodland@trust.tc)
2017-11-16 21:00:09

*Thread Reply:* That are you’re referring to also ties into iCloud Keychain (if enabled). So, perhaps another reason to use Managed Domains

Jonathan Henson (jon@1fixpc.com)
2017-11-16 21:23:55

*Thread Reply:* @Woody I'll have to look into managed domains. The iPads are handed to patients to submit online reviews for the facility. Each device has a set of 5 - 7 webclips that point to the various social media review sites for the facility. We want to make sure that John Doe doesn't save his Facebook login, etc on the device. iCloud is disabled on these devices.

Jonathan Henson (jon@1fixpc.com)
2017-11-16 21:35:52

*Thread Reply:* Settings > General > Restrictions > Accounts > Don't Allow Changes. (Disallowing changes prevents adding, removing,or modifying accounts in Accounts & Passwords).

Jonathan Henson (jon@1fixpc.com)
2017-11-16 21:36:21

*Thread Reply:* lol, that stops you from being able to manually edit accounts (like email accounts) but doesn't grey out apps & website passwords.

aaron (aaron@groundctl.com)
2017-11-17 14:47:33

*Thread Reply:* @Jonathan Henson assuming the iPads are supervised (they should be) you can add a whitelist of web sites in a config profile. This restricts all other sites. That should do the trick.

aaron (aaron@groundctl.com)
2017-11-17 14:48:52

*Thread Reply:* (You may also want to look at groundctl.com to easily wipe and reimage devices weekly.)

👍 Woody
Tobias (tobias.gruenewald@ebf.com)
2017-11-21 13:39:03

@Tobias has joined the channel

Ole Schulenburg (ole.schulenburg@lineas.de)
2017-11-27 15:23:24

I Have a customer that has their DEP working but VPP is in the "in review" status.. for a few weeks now. 😕

Ole Schulenburg (ole.schulenburg@lineas.de)
2017-11-27 15:23:30

nay suggestions?

Ole Schulenburg (ole.schulenburg@lineas.de)
2017-11-27 15:23:32

any**

Jason (jasonh@bridgeway.co.uk)
2017-11-27 15:23:43

Yup, phone them

Jason (jasonh@bridgeway.co.uk)
2017-11-27 15:24:02

Apple are quite responsive if the customer places a call to them on this

Ole Schulenburg (ole.schulenburg@lineas.de)
2017-11-27 15:27:37

true. mails and feedback didint work, so a call might.

👍 Jason, Woody
☎️ Jason
Jason (jasonh@bridgeway.co.uk)
2017-11-27 15:28:58

It’s old fashioned but it has worked a treat in the past.

Jason (jasonh@bridgeway.co.uk)
2017-11-27 15:29:58

For example, for DEP: https://support.apple.com/en-gb/HT204142

Apple Support
Woody (eric.woodland@trust.tc)
2017-11-27 15:30:45

In this day and age, you’d still think they’d be able to be more responsive via means other than a game of old fashioned telephone

Jason Bayton (jason@bayton.org)
2017-11-27 15:39:05

*Thread Reply:* #sass

Woody (eric.woodland@trust.tc)
2017-11-27 15:42:47

*Thread Reply:* #JustSayin

Ole Schulenburg (ole.schulenburg@lineas.de)
2017-11-27 15:57:08

*Thread Reply:* 🙂

runderwood (runderwood71@gmail.com)
2017-11-27 19:02:12

ok looking for some help. We are using Forcepoint and when a mobile device, managed with AirWatch, connects to the corporate network it cannot go to google, yahoo, facebook, twitter etc. those types of https sites. The device is doing its job because Forcepoint is acting like the "man in the middle" but we have forcepoint setup to issue its own certs as a subCA. So the network team and Forcepoint team say as long as the mobile device trusts the Root cert and Forcepoint is using that same Root cert everything should work, but it does not. Anybody else run into this issue?

aaron (aaron@groundctl.com)
2017-11-27 19:14:24

Hey @runderwood it isn’t as simple as installing the cert onto the iOS device. You need to associate the cert with the wifi profile used to connect to the Forcepoint-protected SSID. That’s a chicken-or-egg problem… how do you get onto the wifi network to get the cert to get onto the wifi network? The solution is typically to use a tethered management tool such as Apple Configurator or #v_groundcontrol to install the profile.

runderwood (runderwood71@gmail.com)
2017-11-27 19:16:43

@aaron we use a profile that I created in AirWatch to connect to our corporate wifi. the profile has the certs in it.

aaron (aaron@groundctl.com)
2017-11-27 19:17:39

*Thread Reply:* Starting a thread….

aaron (aaron@groundctl.com)
2017-11-27 19:18:39

*Thread Reply:* So the device is already connected to the SSID and then AirWatch pushes down the profile to connect to the SSID? I’m pretty sure that doesn’t work. You’d need a second SSID to connect to the AIrWatch server.

runderwood (runderwood71@gmail.com)
2017-11-27 19:45:32

*Thread Reply:* ok. say the device is newly configured in AirWatch. The device will receive a profile for the corporate SSID. then a user connects to the wifi and tries to go to google.com. Forcepoint (Websense) re encrypts the traffic and then presents it to the device with a cert. So regular cert chain would be Root then Issuing then site. going through forcepoint it goes Root, Issuing, Forcepoint SubCA, then site.

Woody (eric.woodland@trust.tc)
2017-11-27 20:01:21

*Thread Reply:* So, if all the above is in place. When the device hits ForcePoint (Websense), does it require the user to authenticate to pass through the proxy out to the site they’re trying to access?

runderwood (runderwood71@gmail.com)
2017-11-27 20:03:13

*Thread Reply:* no authentication required. It just re encrypts the traffic and the mobile device does not trust the cert chain. It thinks it is a "man in the middle" attack

Woody (eric.woodland@trust.tc)
2017-11-27 20:04:35

*Thread Reply:* Gotcha. Have you tried sending out the cert chain for the ForcePoint directly to the device (as a Certificate configuration), so it’s placed in the Trust Store and inherently trusted by the device?

runderwood (runderwood71@gmail.com)
2017-11-27 20:04:53

*Thread Reply:* yea.

Woody (eric.woodland@trust.tc)
2017-11-27 20:07:21

*Thread Reply:* Hrmm. If the chain is sitting in that store, the device shouldn’t whine about it. Have you installed that chain to a desktop? Curious if the chain checks-out.

runderwood (runderwood71@gmail.com)
2017-11-27 20:07:47

*Thread Reply:* works fine on the desktop.

Woody (eric.woodland@trust.tc)
2017-11-27 20:09:28

*Thread Reply:* Well, not -on- the desktop

runderwood (runderwood71@gmail.com)
2017-11-27 20:09:57

*Thread Reply:* of course on the mobile device safari does not prompt you and give you the ability to trust it yourself. With Google Chrome on the ios device I do get the prompt.

Woody (eric.woodland@trust.tc)
2017-11-27 20:10:10

*Thread Reply:* If you import the chain to the cert store and check the relationship between the Root/CA/SubCa/Cert, does it find any discrepancy?

runderwood (runderwood71@gmail.com)
2017-11-27 20:11:44

*Thread Reply:* cannot I not post a pic in a thread?

runderwood (runderwood71@gmail.com)
2017-11-27 20:11:54

*Thread Reply:* trying to share a snapshot

runderwood (runderwood71@gmail.com)
2017-11-27 20:12:12

*Thread Reply:* the device has all the certs in the cert store

Woody (eric.woodland@trust.tc)
2017-11-27 20:21:17

*Thread Reply:* You have to do it in the main channel. IdK why they haven’t added photos inside threads just yet

runderwood (runderwood71@gmail.com)
2017-11-27 20:24:05

*Thread Reply:* just posted it

Woody (eric.woodland@trust.tc)
2017-11-27 20:27:15

*Thread Reply:* Got it. I think more of the issue here is that the device may know the identity of the destination site, which results in it believing ForcePoint is a MITM

Woody (eric.woodland@trust.tc)
2017-11-27 20:28:31

*Thread Reply:* If it knew only ForcePoint as the responder for that SSL connection, it would have no basis for comparison and trust the connection

aaron (aaron@groundctl.com)
2017-11-27 20:59:09

*Thread Reply:* Wouldn’t this need to be a proxy, not really MITM?

aaron (aaron@groundctl.com)
2017-11-27 20:59:39

*Thread Reply:* “Transparent authentication is not supported. The user is always prompted for credentials.” https://www.websense.com/content/support/library/web/v81/wcg_help/auth_mac_idevice.aspx#1138360

aaron (aaron@groundctl.com)
2017-11-27 20:59:52

*Thread Reply:* (not sure that is your product, but it makes sense to me)

Woody (eric.woodland@trust.tc)
2017-11-27 21:07:56

*Thread Reply:* Also curious - What does the vendor have to say about this arrangement? Any suggested means of allowing mobile devices to access secure sites using their product? Surely this isn’t the first time a customer has encountered this.

runderwood (runderwood71@gmail.com)
2017-11-27 21:09:45

*Thread Reply:* The vendor really has not said much. They did say that they always see issues with mobile devices lol

Woody (eric.woodland@trust.tc)
2017-11-27 21:12:05

*Thread Reply:* Sounds like they’re not really concerned. Not sure they’re going to be a vendor you all will want to be dealing with long-term 🙃

runderwood (runderwood71@gmail.com)
2017-11-27 21:34:00

*Thread Reply:* exactly we are always fighting with the network security team about forcepoint.

Woody (eric.woodland@trust.tc)
2017-11-27 21:35:50

*Thread Reply:* Perhaps they create a second SSID for Mobile that bypasses ForcePoint? Or enforce restrictions for devices using that SSID, such as a Web Content Filter (Supervised Devices Only)?

Jason (jasonh@bridgeway.co.uk)
2017-11-27 19:22:20

Am I right in understanding this as a iOS & captive agent issue?

Jason (jasonh@bridgeway.co.uk)
2017-11-27 19:25:17

If so, all you need to do is allow a firewall rule out to the https://captive.apple.com/ site

runderwood (runderwood71@gmail.com)
2017-11-27 19:47:43

@Jason if your question was to me then, no it is not captive agent. Forcepoint is websense. it acts like the man in the middle and re encrypts traffic.

Jason (jasonh@bridgeway.co.uk)
2017-11-27 19:50:45

Apologies, of course it is.

runderwood (runderwood71@gmail.com)
2017-11-27 20:23:44

@runderwood uploaded a file: Image-1.jpg

runderwood (runderwood71@gmail.com)
2017-11-27 20:23:52

@Woody

NicolasR (raison_nicolas@me.com)
2017-11-28 23:32:50

@runderwood you are using Chrome. While you installed the root/intermediate certificate chain on the iOS device, you didn’t installed it in the Chrome app. Yes, iOS is a sandboxed OS, installing a certificate at the System level doesn’t allow a third party app to access it and trust it or use it.

Deep packet inspection is basically a bad idea in mobility, this often doesn’t work as only native Safari/Mail apps will accept to trust certificates. Others apps like Skype, Chrome or others will prompt with untrusted very error.

✅ Woody
Oliver (oliver.schiemann@isec7.com)
2017-11-29 11:44:57

@Oliver has joined the channel

aaron (aaron@groundctl.com)
2017-12-04 01:13:16

@channel Looks like Apple has a new software license agreements for DEP. Your company’s Program Agent is required to accept the new agreement on deploy.apple.com before using DEP again.

👍 NicolasR, Jonathan Henson
Woody (eric.woodland@trust.tc)
2017-12-04 01:31:56

Good find, @aaron!

Ole Schulenburg (ole.schulenburg@lineas.de)
2017-12-04 07:02:09

thanks aaron

Russell Mohr (rmohr@mobileiron.com)
2017-12-04 14:55:17

It’s so worth it to break DEP to educate customers about accepting EULA’s

} Aaron Freimark (https://mobilxperts.slack.com/team/U725WQRRN)
Russell Mohr (rmohr@mobileiron.com)
2017-12-04 14:55:31
Jason Bayton (jason@bayton.org)
2017-12-04 14:56:35

that's my favourite screenshot of the week @Russell Mohr

macbentosh (benbergthold@gmail.com)
2017-12-04 15:21:06

@Woody I can not get content cache to turn on with my mac mini. Keeps saying currently unavailable.

macbentosh (benbergthold@gmail.com)
2017-12-04 15:21:51

@aaron what happens to any devices assigned when the agreement was not excepted

aaron (aaron@groundctl.com)
2017-12-04 15:24:07

@macbentosh devices that are assigned are fine. Devices that are already set up are fine. No effect.

aaron (aaron@groundctl.com)
2017-12-04 15:24:27

But you likely won’t be able to change the DEP profile for a device, and you won’t be able to assign any new devices.

aaron (aaron@groundctl.com)
2017-12-04 15:24:48

Basically, this affects only new devices.

macbentosh (benbergthold@gmail.com)
2017-12-04 15:25:08

that’s what I mean. I just agreed to it. What if a device was shipped Saturday.

Woody (eric.woodland@trust.tc)
2017-12-04 15:28:44

@macbentosh what version of MacOS are you running?

macbentosh (benbergthold@gmail.com)
2017-12-04 15:29:24

HS

Woody (eric.woodland@trust.tc)
2017-12-04 15:31:08

So, you’re working within the System Prefs --> Content Caching area, but it won’t allow it to enable?

macbentosh (benbergthold@gmail.com)
2017-12-04 15:33:24

yup

Woody (eric.woodland@trust.tc)
2017-12-04 15:33:36

Is that Mac able to determine it’s public IP? That’s honestly the only big dependency I know of that might trip it up.

macbentosh (benbergthold@gmail.com)
2017-12-04 15:33:38

and working from command line. clearing any cache

macbentosh (benbergthold@gmail.com)
2017-12-04 15:33:48

should

macbentosh (benbergthold@gmail.com)
2017-12-04 15:34:09

I have to play with it more. but it sits there for days like that.

macbentosh (benbergthold@gmail.com)
2017-12-04 15:34:33

Thinking about throwing it on our non prod network an seeing if it is or effing proxy…Again.

Woody (eric.woodland@trust.tc)
2017-12-04 15:40:03

My guess is that the proxy is jacking it up. All it really does is look-up the public IP and tell Apple that it is hosting content caching services for anyone that comes looking for updates from your gateway.

macbentosh (benbergthold@gmail.com)
2017-12-07 17:56:47

Got a user that is getting asked for their itunes store password every morning since iOS 11.

macbentosh (benbergthold@gmail.com)
2017-12-07 17:57:08

any idea signed out. rebooted everything i can think of.

Woody (eric.woodland@trust.tc)
2017-12-07 18:00:04

and they’re certain it’s the correct p/w, right?

Woody (eric.woodland@trust.tc)
2017-12-07 18:02:15

It sounds like it is accepting, but discarding the credential every ~24 hours?

Woody (eric.woodland@trust.tc)
2017-12-07 18:14:10

… @macbentosh don’t leave me hanging, LoL

macbentosh (benbergthold@gmail.com)
2017-12-07 18:14:21

yes

macbentosh (benbergthold@gmail.com)
2017-12-07 18:14:34

correct password

macbentosh (benbergthold@gmail.com)
2017-12-07 18:14:46

if cancelled it doesnt hit again till the am

macbentosh (benbergthold@gmail.com)
2017-12-07 18:14:51

around 3-4am

Woody (eric.woodland@trust.tc)
2017-12-07 18:16:36

Is there a need to have an AppleID on the device (aka is VPP in use), or is it BYOD?

macbentosh (benbergthold@gmail.com)
2017-12-07 18:17:43

personal device

macbentosh (benbergthold@gmail.com)
2017-12-07 18:18:08

VIP person…no device business association but we support them.

macbentosh (benbergthold@gmail.com)
2017-12-07 18:18:09

brb

Jason (jasonh@bridgeway.co.uk)
2017-12-07 18:19:18

I wonder if they may have installed an app under a different AppleID, and this is causing the prompt (e.g. trying to update an app or similar)

💯 Jonathan Henson
Jason Bayton (jason@bayton.org)
2017-12-07 18:24:46

^ yup I've seen that a few times

Woody (eric.woodland@trust.tc)
2017-12-07 18:27:59

Ah yes, that’s one I’m familiar with

Woody (eric.woodland@trust.tc)
2017-12-07 18:28:16

There’s an update for the app that was installed under the context of another AppleID

macbentosh (benbergthold@gmail.com)
2017-12-07 18:45:05

it is just asking for the password for the only logged in appl id

Jason (jasonh@bridgeway.co.uk)
2017-12-07 18:45:21

Have you tried rebuilding it?

macbentosh (benbergthold@gmail.com)
2017-12-07 18:47:42

restore?

Jason (jasonh@bridgeway.co.uk)
2017-12-07 18:47:58

Full wipe and restore from backup

macbentosh (benbergthold@gmail.com)
2017-12-07 18:48:23

well…Didn’t happen on their 8 started on the restore to the 10

macbentosh (benbergthold@gmail.com)
2017-12-07 18:48:26

or X

macbentosh (benbergthold@gmail.com)
2017-12-07 18:48:30

or EX

Jason (jasonh@bridgeway.co.uk)
2017-12-07 18:48:32

As it’s a VIP, I suggest a full backup and restore to a spare machine.

Jason (jasonh@bridgeway.co.uk)
2017-12-07 18:48:56

Ah, ok. Backed up to iCloud or PC?

macbentosh (benbergthold@gmail.com)
2017-12-07 18:49:17

PC

macbentosh (benbergthold@gmail.com)
2017-12-07 18:49:22

encrypted

Jason (jasonh@bridgeway.co.uk)
2017-12-07 18:49:51

Good. I would try a restore to a freshly reset device and see if that works.

Jason (jasonh@bridgeway.co.uk)
2017-12-07 18:50:22

If so, hand it to them after a day has passed without the prompt.

Jason (jasonh@bridgeway.co.uk)
2017-12-07 18:50:58

Or, reset their device and restore the backup again. However, they won’t love you if you just reintroduce the problem again… 🙂

Jay (jay@project-xy.com)
2017-12-08 12:11:08

@Jay has joined the channel

Jason Bayton (jason@bayton.org)
2017-12-13 09:50:12

To settle a minor disagreement about VPP, can anyone confirm if there's any difference between the functionality of VPP between DEP/non-DEP devices? That extends to supervision also. Interested primarily in the use of device vs user assignment.

Jason (jasonh@bridgeway.co.uk)
2017-12-13 09:52:21

Silent install (managed distribution) for AppleID assignment?

Jason Bayton (jason@bayton.org)
2017-12-13 09:53:28

ideally no AppleID on devices in either case.

Jason (jasonh@bridgeway.co.uk)
2017-12-13 09:53:29

I mention it as a question, because why wouldn’t you move to device-based assignment for most of your apps? (Other than paid for apps, where per-user assignment may be cheaper)

Jason (jasonh@bridgeway.co.uk)
2017-12-13 09:53:39

Quite

Jason Bayton (jason@bayton.org)
2017-12-13 09:54:28

I'm of the opinion (because I'm by no means intimately familiar with it) device-based can be used whether the device is supervised or not.

Jason (jasonh@bridgeway.co.uk)
2017-12-13 09:54:50

Perhaps the question is best asked in terms of supervision, rather than DEP, as this is effectively the difference, not the enrolment process in this case.

Jason Bayton (jason@bayton.org)
2017-12-13 09:54:58

indeed

Jason (jasonh@bridgeway.co.uk)
2017-12-13 09:56:06

Oh, that said, just to clarify, you can do a ‘wait-till-everything-is-installed’ before allowing the user access to a fresh DEP-enabled device, which should cut down support calls and reduce any possible user confusion with background installs, etc.

Tobias (tobias.gruenewald@ebf.com)
2017-12-13 10:11:13

Regarding the VPP licensing there is no difference for device-based between DEP/non-DEP or supervised/non-supervised. On non-supervised devices you just have the requirement that the user needs to confirm every app installation request.

👍 Woody
Jason Bayton (jason@bayton.org)
2017-12-13 10:41:08

Ooh perfect @Tobias thank you for clarifying

aaron (aaron@groundctl.com)
2017-12-13 13:32:22

I can confirm what @Tobias said. VPP is orthogonal to DEP.

Tobias (tobias.gruenewald@ebf.com)
2017-12-13 13:33:12

and the intersection point is iOS? 🙂

aaron (aaron@groundctl.com)
2017-12-13 13:33:35

The intersection point are Apple sales reps who conflate the two.

Jason Bayton (jason@bayton.org)
2017-12-13 13:34:31

Which seemingly has resulted in this question @aaron so yeah. Thanks for confirming

Woody (eric.woodland@trust.tc)
2017-12-13 14:11:31

Good one @Tobias. I was explaining that yesterday. Small difference in UX with VPP across the two management styles, but noteworthy

Russell Mohr (rmohr@mobileiron.com)
2017-12-13 16:55:41

If we only knew what orthogonal meant… hawww

jafullersr (jafuller@starbucks.com)
2017-12-13 16:56:38

Keep in mind that very soon all DEP devices will be supervised. There will no longer be the option for non-supervised DEP enrolled devices. So while you’re contemplating this now, in the near future there will be no option. You may want to consider supervision whether you use the settings specific to supervision or not.

👍 Jason
aaron (aaron@groundctl.com)
2017-12-13 17:57:46

@jafullersr often I see the question in regards to VPP on older, non-DEP devices. If people conflate VPP with DEP, then they think they can’t use VPP with their existing fleet. But that isn’t correct.

aaron (aaron@groundctl.com)
2017-12-13 18:00:07

Similarly, while DEP implies supervision (at least it will soon), the reverse isn’t true. You can supervise WITHOUT DEP, and still get all the benefits. (I know you know this @jafullersr but sometimes I feel like shouting it anyway.)

jafullersr (jafuller@starbucks.com)
2017-12-13 18:55:41

@aaron VPP was made available long before DEP. Remember redemption codes? Coupling the two together in the right way will add value, however they can be mutually exclusive.

Mark Vonk (mark.vonk@dahvo.com)
2017-12-14 07:08:31

With DEP you can deploy apps using VPP based on the device (device ID based VPP) it does not require an Apple ID. Without DEP you can not. So there is a difference, but VPP does not require (yet I believe as Apple is mandating DEP and supervision more and more) DEP.

Tobias (tobias.gruenewald@ebf.com)
2017-12-14 08:16:43

I need to object to this statement as it is incorrect. Device-based VPP can be used for all devices, regardless of DEP enrollment. DEP removes the requirement for the Apple ID on the device at device setup time. Device-based VPP removes the requirement for the Apple ID for app installation. So combining both removes Apple ID requirement for EMM environments altogether. But that does not mean that both technologies cannot be used separately.

} Mark Vonk (https://mobilxperts.slack.com/team/U7J8PE78B)
aaron (aaron@groundctl.com)
2017-12-14 09:22:25

Oooh, a rare opportunity to slightly improve an answer from @Tobias! “DEP removes the requirement for the Apple ID on the device at device setup time” — nope, the Apple ID setup screen may be skipped even without DEP.

aaron (aaron@groundctl.com)
2017-12-14 09:25:24

DEP = Streamlined device setup. VPP = license lots of apps.

Jason (jasonh@bridgeway.co.uk)
2017-12-14 09:29:12

Oooh, a rare opportunity to slightly improve an answer from @Tobias and @aaron! “DEP removes the requirement for the Apple ID …” - this is technically a function of supervision, not DEP. The two are often conflated, but it is an important distinction for those who cannot/will not subscribe into DEP, yet can still benefit from this by using Apple Configurator…

aaron (aaron@groundctl.com)
2017-12-14 09:29:42

Correct!

Jason (jasonh@bridgeway.co.uk)
2017-12-14 09:29:58

I’m expecting @aaron to mention GroundControl at any moment… 😉

aaron (aaron@groundctl.com)
2017-12-14 09:30:20

*Thread Reply:* No need now! Thanks!

Jason (jasonh@bridgeway.co.uk)
2017-12-14 09:31:04

*Thread Reply:* Hahaha! NP, my pleasure!

Jason Bayton (jason@bayton.org)
2017-12-14 09:35:04

This has been a fun and familiar conversation :) So to summarise the UX:

Supervised: silent VPP device based install Non-supervised: user-prompted device based install

IE functionally the same, but the user gets a ping to confirm if supervision isn't present, regardless whether or not they have an iTunes account on the device.

👍 Tobias, Jason, Dominik
Preetham Guram (spurtipreetham.g@gmail.com)
2017-12-14 17:39:24

@Preetham Guram has joined the channel

Sherman Chen (shermanc@mobileiron.com)
2017-12-14 18:07:14

@Sherman Chen has joined the channel

Tycho (tycho@schenkeveld.com)
2017-12-15 12:47:37

@Tycho has joined the channel

Darryl Miles (darryl_miles@au1.ibm.com)
2018-01-13 08:33:40
Woody (eric.woodland@trust.tc)
2018-01-16 06:10:51

Apple at Work - Hrmm, that sounds kind of familiar. https://www.apple.com/business/

Apple
Jason Bayton (jason@bayton.org)
2018-01-16 10:35:03

It's pretty general terminology. Can't knock them for using work :p

Woody (eric.woodland@trust.tc)
2018-01-16 22:42:45

It’ll soon be updated to Apple Enterprise 😆

😛 Jason Bayton
jafullersr (jafuller@starbucks.com)
2018-01-17 00:53:22

Believe it or not, it was Apple for Enterprise a while ago. Then Apple for Business (to broaden the view), now Apple for Work. 🤷

jafullersr (jafuller@starbucks.com)
2018-01-17 00:54:09

enterprise.apple.com still works.

jafullersr (jafuller@starbucks.com)
2018-01-17 00:54:22

I think that’s for AppleCare now…

Woody (eric.woodland@trust.tc)
2018-01-17 01:28:09

Haha - I do recall the mention of Enterprise awhile back. ¯_(ツ)_/¯

rterakedis (rterakedis@vmware.com)
2018-01-17 14:42:40

@rterakedis has joined the channel

csimonds (csimonds@perkinscoie.com)
2018-01-19 16:52:01

@csimonds has joined the channel

Kiza (kiza@zoranmiskovic.com)
2018-01-21 13:56:04

@Kiza has joined the channel

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-01-23 07:52:00

Folks, anyone else having issues with sent items not replicating to iPhoens running the latest iOS?

Mark Vonk (mark.vonk@dahvo.com)
2018-01-23 10:28:59

No issues here, no customer complaints either.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-01-23 11:05:15

hmmm, thanks .... seems to be an interesting one...

Mark Vonk (mark.vonk@dahvo.com)
2018-01-23 11:57:47

I do notice, myself, that some emails do not get pushed with iOS 11.2. This happens every couple of days. Seems to be related to network changes (wifi vs. 4g). Also, mail seems to display the "downloading" status on the bottom a lot more.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-01-23 13:21:38

looks like a bug in office 365 that MS pushed last week. EX127850 - iOS Devices issue with Exchange ActiveSync

Mark Vonk (mark.vonk@dahvo.com)
2018-01-23 13:26:17

Yes indeed on Office365. If I google EX127850, I don't find anything related though. Where is your info from?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-01-23 13:37:03

you wont see it unless you log into your admin portal to see the advisories.

Mark Vonk (mark.vonk@dahvo.com)
2018-01-23 13:44:29

Weird, checked the Service health going back 30 days but can't find it. Not in the message center either. Anyway, do not have the issue with Sent items. It is persistent and for more than one user?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-01-23 13:51:04

yes, also effecting contact sync as well. seems MS know about the issue and are patching their servers at the moment

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-01-23 13:51:50

essentially end users are seeing sync of sent items stop, and contact sync stop. only effects iOS users

Woody (eric.woodland@trust.tc)
2018-01-23 18:48:35

https://9to5mac.com/2018/01/23/ios-11-2-5/

9to5Mac
} Zac Hall (https://9to5mac.com/author/apollozac/)
👍:skin_tone_2: Jay, Woody, Simon Hardy-Bistagne
aaron4mobile (aaronleavey@gmail.com)
2018-01-24 16:10:11

@aaron4mobile has joined the channel

Mark Vonk (mark.vonk@dahvo.com)
2018-01-25 11:20:26

iOS 11.3 will have a enforcedSoftwareUpdateDelay restriction payload, just like MacOS: Supervised only. This restriction allows the admin to set how many days a software update on the device will be delayed. With this restriction in place, the user will not see a software update until the specified number of days after the software update release date.

The max is 90 days and the default value is 30.

Availability: Available only in iOS 11.3 and later and macOS 10.13.4 and later.

👍 Woody, Darryl Miles, Norton
Damian (support@expertmobilite.com)
2018-01-25 11:53:28

@Damian has joined the channel

Woody (eric.woodland@trust.tc)
2018-01-26 19:34:51

Curious: Has anyone ever needed to shift devices between DEP Account A and DEP Account B (both accounts owned by the same parent company)?

Woody (eric.woodland@trust.tc)
2018-01-26 19:37:03

I’d like to know if Apple has a standard process in place for this request, or if it would need to be something submitted by their account rep

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-01-26 19:38:10

Not myself. Though interested to hear if anyone has. My expectation is that you'd have to get Apple involved as once you release a device from a DEP account you can't register it again.

The DEP support team are actually pretty helpful for an Apple support team.

What's the business case for doing this? It would be simpler to keep the old DEP account and have it route to the same EMM instance as the new/other one.

Woody (eric.woodland@trust.tc)
2018-01-26 19:39:04

Yeah, I was hoping there wouldn’t need to be a “Disown” action as part of the exercise. More a transfer behind the scenes

Woody (eric.woodland@trust.tc)
2018-01-26 19:39:33

It’s a company who is splitting-off one of their entities to a new and totally separate line of business

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-01-26 19:41:17

yeah that's a good business case. there's a lot that apple need to clean up about the dep portal and it's processes.

Changing the Agent account Deleting an admin account Only allowing a single Agent account

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-01-26 19:41:35

Forcing a "real person" as the agent as opposed to a generic email

Woody (eric.woodland@trust.tc)
2018-01-26 19:42:09

I concur. It’s good, but could be better

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-01-26 19:42:49

Well.... it's still light years ahead of android zero touch 😉

A call to the dep support should clear things up... let me know how you go as it's an interesting question

Jason Bayton (jason@bayton.org)
2018-01-26 20:01:32

*Thread Reply:* Ah yeah, because having a central portal you can add and remove resellers from at will is proper stoneage 😛

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-01-26 20:02:56

*Thread Reply:* There ae only 2 of them!! lmao I'm gagging to try it... trying to get AT&T to get access for me at the mo.

Jason Bayton (jason@bayton.org)
2018-01-26 20:04:25

*Thread Reply:* 4 now thank you very much 😆

Jason Bayton (jason@bayton.org)
2018-01-26 19:49:37

Disown, configurator add to other DEP account if you're in a pinch

aaron (aaron@groundctl.com)
2018-01-26 22:16:35

*Thread Reply:* Agree. I’ve done this and it will work.

👍 Jason Bayton
Simon Hardy-Bistagne (simon@smnhdy.com)
2018-01-26 19:52:11

Encrypted email reading in native iOS mail with Office 365

DONT ENABLE IT!! Well... not yet!

So... MS released a "new" feature a few months back called server side decryption that allows encrypted emails to be read on mobile devices (and by external recipients outside of the org) in a safe and secure way. It needs either an RMS enlightened email client (outlook on desktop, on mobile using outlook mobile, or the samsung native mail client) or a webmail client like outlook, gmail, yahoo etc.

That all works great.

There is however a function that enables iOS devices to be able to read and reply to these mails within the native client... the difference being that the client won't recognise the RMS rights attached to the mail. This isn't a security issue a the email server will still recognise the rights, but you don't get the same mail client warning of the rights.

It's this function YOU MUST NOT YET ENABLE... If you do... it will take down you're entire iOS estate stopping the devices syncing their contacts, and their sent items....

MS are patching their all o365 servers, but it's going to take a few weeks.

👀 Woody
👍 NicolasR
Woody (eric.woodland@trust.tc)
2018-01-26 19:52:38

Yeah - These will be devices that are in the field, so Configurator most likely won’t come into play @Jason Bayton

Woody (eric.woodland@trust.tc)
2018-01-26 20:00:47

Interesting @Simon Hardy-Bistagne.

Paul_O (paulo@bridgeway.co.uk)
2018-01-29 16:55:44

@Paul_O has joined the channel

Roman Kleyn (kleyn.roman@web.de)
2018-01-29 22:38:38

@Roman Kleyn has joined the channel

Amine (amine.ayad@gmail.com)
2018-01-30 10:15:36

Hi everyone, do you know an app / software that can report on the resources used by installed apps on iOS ?

Amine (amine.ayad@gmail.com)
2018-01-30 10:16:01

This is for an in-house app, as part of the QA process. Just curious about whether such a solution exists.

Jeremy (jeremy@bodokh.com)
2018-01-30 10:40:13

You can do it with MDM Commands

Jeremy (jeremy@bodokh.com)
2018-01-30 10:40:47

InstalledApplicationList command will return the BundleSize and DynamicSize (The size of the app’s document, library, and other folders, in bytes.)

👍 Amine
Amine (amine.ayad@gmail.com)
2018-01-30 10:46:31

*Thread Reply:* Thank you, do you know which MDM solution on the market has this ability? (displays those details on their console).

Jeremy (jeremy@bodokh.com)
2018-01-30 10:47:28

*Thread Reply:* I don’t know

Jeremy (jeremy@bodokh.com)
2018-01-30 10:47:35

*Thread Reply:* we don’t support this yet

Jeremy (jeremy@bodokh.com)
2018-01-30 10:47:42

*Thread Reply:* and for the others I don’t know

Tobias (tobias.gruenewald@ebf.com)
2018-01-31 16:28:30

Any idea on how to get an AppConfig XML schema file for Outlook uploaded to the AppConfig repository (http://d2e3kgnhdeg083.cloudfront.net)? As Microsoft is no AppConfig member I strongly assume they will not provide it on their own. Will AppConfig accept specfiles for apps of non-members? Configuring the Outlook app through MDM will be a huge customer demand.

Woody (eric.woodland@trust.tc)
2018-01-31 16:53:18

@Jason Bayton had reached out to his contact @ VMW regarding changing AFW to AE, because they apparently own the site. Perhaps he can get in touch with the owner of the content as well.

Tobias (tobias.gruenewald@ebf.com)
2018-01-31 17:01:05

The question is, if AW is also responsible for uploading stuff to the repo. I know the repo itself is hosted/operated by MI but do not know, who the contact is for uploading files to it.

👍 Woody
Tobias (tobias.gruenewald@ebf.com)
2018-01-31 17:02:52

@Russell Mohr any ideas?

Russell Mohr (rmohr@mobileiron.com)
2018-01-31 17:06:26

Let me do some digging

Russell Mohr (rmohr@mobileiron.com)
2018-02-02 05:02:34

@Tobias making “some” progress- hold tight

👍 Woody
Tobias (tobias.gruenewald@ebf.com)
2018-02-02 08:09:28

well, it's not urgent, more on the "nice to have" side of things, thx for chasing

Jorge Escala (jorge.escala@gmail.com)
2018-02-02 22:58:04

@Jorge Escala has joined the channel

Russell Mohr (rmohr@mobileiron.com)
2018-02-08 07:04:36
Russell Mohr (rmohr@mobileiron.com)
2018-02-08 07:05:31

@Tobias is this visible on your cluster too? I wonder if you see the appconfig configurations on yours…

Russell Mohr (rmohr@mobileiron.com)
2018-02-08 07:05:40

I don’t know if it works BTW….

Russell Mohr (rmohr@mobileiron.com)
2018-02-08 07:06:21

Also, in Core 9.7, we will be able to add KVP’s for apps with the InTune SDK

Jason Bayton (jason@bayton.org)
2018-02-08 08:55:02

Yeah it works @Russell Mohr. Tested it when they launched.

👍 Russell Mohr, Woody
Jason (jasonh@bridgeway.co.uk)
2018-02-08 15:12:12

Just because it came up in conversation today:

Jason (jasonh@bridgeway.co.uk)
2018-02-08 15:12:13
Russell Mohr (rmohr@mobileiron.com)
2018-02-13 03:50:31

https://www.mobileiron.com/en/smartwork-blog/what-every-company-should-consider-when-evaluating-years-most-anticipated-apple

mobileiron.com
👍 julien
Jason Bayton (jason@bayton.org)
2018-02-13 09:44:16

*Thread Reply:* "For generic Android, we may also see a future capability for devices that run Android enterprise (formerly Android for Work) before long."

It's already possible to defer AE updates using any half-decent EMM 😛

Russell Mohr (rmohr@mobileiron.com)
2018-02-13 14:13:32

*Thread Reply:* Coming soon!

😁 Jason Bayton, Woody
Simon Hardy-Bistagne (simon@smnhdy.com)
2018-02-20 06:55:40

Interesting change to apple device policy coming.

http://iphone.appleinsider.com/articles/18/02/15/apple-says-all-new-iphone-apps-must-support-ios-11-sdk-iphone-x-display-as-of-april

AppleInsider
Steven Parker (steven9205@gmail.com)
2018-02-20 09:54:00

@Steven Parker has joined the channel

Eric Bos (ericbos1@ie.ibm.com)
2018-02-22 09:29:30

@Eric Bos has joined the channel

Tobias (tobias.gruenewald@ebf.com)
2018-02-22 12:28:41

@Russell Mohr yeah, the AppConfig is now available on our (and probably any AppConfig supporting) EMM platform. Unfortunately it seems the file I uploaded her contains unnecessary whitespace in one of the keys ("com.microsoft.outlook.EmailProfile.EmailAddress "). This may render the config incorrect. At least I was not able to configure Outlook for iOS using it.

} Russell Mohr (https://mobilxperts.slack.com/team/U7HJMLCA1)
Russell Mohr (rmohr@mobileiron.com)
2018-02-22 14:06:43

Crap

Russell Mohr (rmohr@mobileiron.com)
2018-02-22 14:07:15

Let me see if they can address that

Russell Mohr (rmohr@mobileiron.com)
2018-02-22 14:07:46

But I don’t know if it will work. The config is intended for the InTune MAM SDK

Russell Mohr (rmohr@mobileiron.com)
2018-02-22 14:07:57

It’s XML just like appconfig

Russell Mohr (rmohr@mobileiron.com)
2018-02-22 14:08:17

But I wonder if it will work

Russell Mohr (rmohr@mobileiron.com)
2018-02-22 14:08:36

Kind of an experiment here

Tobias (tobias.gruenewald@ebf.com)
2018-02-22 15:03:01

Will do some more tests today and update you

macbentosh (benbergthold@gmail.com)
2018-02-22 21:15:26

anyone deploying vmware view

macbentosh (benbergthold@gmail.com)
2018-02-22 21:15:27

?

Woody (eric.woodland@trust.tc)
2018-02-22 21:48:01

As-in the Horizon client, @macbentosh? We did it at Kindred for a couple projects.

macbentosh (benbergthold@gmail.com)
2018-02-22 22:38:24

how do you set the server to connect to with a config profile and not a URI

aaron (aaron@groundctl.com)
2018-02-22 22:54:12
aaron (aaron@groundctl.com)
2018-02-22 22:55:16

(It’s a bit AirWatch focused, but it really describes AppConfig that can be used with whatever MDM)

macbentosh (benbergthold@gmail.com)
2018-02-22 23:08:44

wonder how to translate that to be used in MI

aaron (aaron@groundctl.com)
2018-02-22 23:12:00

@aaron uploaded a file: appconfig

aaron (aaron@groundctl.com)
2018-02-22 23:12:45

It’s JSON within XML, which is really weird. Are you OK editing the JSON to match your environment?

macbentosh (benbergthold@gmail.com)
2018-02-22 23:12:59

title it com.vmware.viewclient.plist and point it to the bundle id?

aaron (aaron@groundctl.com)
2018-02-22 23:13:07

right

macbentosh (benbergthold@gmail.com)
2018-02-22 23:13:24

kinda

macbentosh (benbergthold@gmail.com)
2018-02-22 23:13:31

only would have one server

aaron (aaron@groundctl.com)
2018-02-22 23:13:58

[Disclaimer: I’ve never configured Horizon. I’m doing this based on an understanding of AppConfig.]

aaron (aaron@groundctl.com)
2018-02-22 23:14:25

It’s now one server…

macbentosh (benbergthold@gmail.com)
2018-02-22 23:15:14

looks like what i did now

macbentosh (benbergthold@gmail.com)
2018-02-22 23:34:22

IT WORKED!!!

👍 Woody, Jonathan Henson
aaron (aaron@groundctl.com)
2018-02-22 23:34:53

Awesome.

macbentosh (benbergthold@gmail.com)
2018-02-22 23:42:09

wish I could push the password too lol

aaron (aaron@groundctl.com)
2018-02-22 23:46:59

Well, use Workspace One.

macbentosh (benbergthold@gmail.com)
2018-02-23 15:04:55

?

Jason Bayton (jason@bayton.org)
2018-02-23 15:17:09

Is your keyboard broken there @macbentosh? 😉

Tobias (tobias.gruenewald@ebf.com)
2018-02-23 15:51:30

It states "When you create an app configuration policy in the Azure Portal or through your MDM provider, you will need the following key value pairs". So I assumed it to be default iOS managed app configuration. Today I just created a normal plist file with the described key-value pairs to configure the iOS Outlook app. But this did not work either. But now I don't know if this is because it's just not working as I expect or if there is a conflict between my plist managed app config and the configuration retrieved from the AppConfig repo.

} Russell Mohr (https://mobilxperts.slack.com/team/U7HJMLCA1)
Tobias (tobias.gruenewald@ebf.com)
2018-02-23 15:57:33

This is the plist XML I created based on the Microsoft Technet article. And on that article I also created the AppConfig schema file.

macbentosh (benbergthold@gmail.com)
2018-02-23 16:00:44

@Jason Bayton it was more of a how to do that without switching to AW

aaron (aaron@groundctl.com)
2018-02-23 16:10:48

@macbentosh Horizon supports SSO. So if you have identity management in place maybe there is a way. But that is beyond my skills.

macbentosh (benbergthold@gmail.com)
2018-02-23 16:11:08

we don’t I think we have some ideas now.

Woody (eric.woodland@trust.tc)
2018-02-23 17:31:21

*Thread Reply:* I know a guy who has the hookup on identity management, if you guys are heading that direction 😁

macbentosh (benbergthold@gmail.com)
2018-02-23 16:36:32

Man i wish MI had exclusions….Everyone in this label but not these three

Jason Bayton (jason@bayton.org)
2018-02-23 16:38:14

It does via the label itself.. I exclude devices and users with custom attributes normally but it's pretty flexible. It just means creating a separate label is all.

macbentosh (benbergthold@gmail.com)
2018-02-23 16:49:50

sadly it’s for our app store label. A change would then repush the webclip to all

Jason Bayton (jason@bayton.org)
2018-02-23 16:54:35

Perhaps then edit the label itself with the new criteria? Untested approach in my side but should work

Woody (eric.woodland@trust.tc)
2018-02-23 17:34:18

@macbentosh like @Jason Bayton said, you can tweak the criteria for a filter label and it will just push/remove the associated configs to devices that are added/removed to the label.

Woody (eric.woodland@trust.tc)
2018-02-23 17:36:20

You can also create a new label, compare the difference in device count between old/new and (if you like) begin using the new label for distribution. Basically a seamless migration from Label A to Label B.

Jason Bayton (jason@bayton.org)
2018-02-23 17:37:57

That's one of those things I've not tried on a live environment @Woody adding one label and removing another without discuption. Sounds like it should work though.

macbentosh (benbergthold@gmail.com)
2018-02-23 17:41:22

and since i didnt start my mi server….The label is…..IOS!!!

Woody (eric.woodland@trust.tc)
2018-02-23 17:41:28

Yeah, it’ll work (now). Didn’t used to work so well back in the early Core days. Labels A/B are created and include same (or similar) devices. Configs are bound to Label A and Label B simultaneously, then removed from Label A.

Woody (eric.woodland@trust.tc)
2018-02-23 17:42:19

Yeah, but you can transition from iOS to “iOS-All” or whatever you make to bust away from the system labels

macbentosh (benbergthold@gmail.com)
2018-02-23 17:42:19

we did that for kerb

Tobias (tobias.gruenewald@ebf.com)
2018-02-23 17:54:32

Adding label, the removing definitely works without repush, we even use this for high impact profiles like Exchange. I think it was Core 4 where each label modification led to a full profile push for all devices, long long time ago 🙂

👍 Woody
Jason Bayton (jason@bayton.org)
2018-02-23 17:55:42

Well the pain is still very much felt I'm sure Tobias :p

Tobias (tobias.gruenewald@ebf.com)
2018-02-28 10:45:37

Has anyone ever seen an iOS widget (also called a "Today extension") used in conjunction with per-app VPN? A customer reports that the app itself uses the per-app VPN just fine but the widget contained in the app does not. The app developer described to me that a widget is contained in the apps .ipa but has in fact a completely separate bundle identifier. This would explain the issue as the per-app VPN profile is an assignment of bundle ID to VPN profile and the widgets bundle ID is different. Is there any way to configure this (with MobileIron in our case) or is it an iOS limitation?

Woody (eric.woodland@trust.tc)
2018-02-28 14:38:06

That’s a good question @Tobias. I do recall when working in XCode recently (for an AppleTV app) that the items such as Top Shelf (for the app to display updates on the “top shelf”) did have a separate bundle ID. So, I’d guess that holds true to the widget on iOS. My guess is that the functionality you need (in order to manage/per-app VPN the widget) does not yet exist

macbentosh (benbergthold@gmail.com)
2018-03-02 15:07:48

well got vmware with a config profile. Anyone done it for citrix?

Woody (eric.woodland@trust.tc)
2018-03-02 18:53:30

Managed App Config, right @macbentosh?

macbentosh (benbergthold@gmail.com)
2018-03-02 18:53:40

yea

Woody (eric.woodland@trust.tc)
2018-03-02 18:54:10

Nice. Not familiar with the citrix interface but I’d imagine it will either be upload the XML or use their GUI to port-in the KVPs

Woody (eric.woodland@trust.tc)
2018-03-02 18:57:49

Realistically all they are doing is transporting the XML to the device to install, so they can’t really do a whole lot different than other vendors

aaron (aaron@groundctl.com)
2018-03-02 19:40:12

Hey All. I’ve just set up single sign on for native Office 365 apps on iPhone. So far so good. Now I just need to type the Office username into one of the office apps, and badabing, no password, everything works. However to reach my goal — zero touch — I need to push the Office username too, via MDM. I’ve searched for an AppConfig key for that...no luck. O Great MobilXPerts is there such a key?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-03-02 19:49:21

com.microsoft.outlook.EmailProfile.EmailAccountName = {EmailAddress} com.microsoft.outlook.EmailProfile.EmailAddress = {EmailAddress} com.microsoft.outlook.EmailProfile.EmailUPN = {EmailUserName} com.microsoft.outlook.EmailProfile.ServerAuthentication = 'Username and Password' com.microsoft.outlook.EmailProfile.ServerHostName = outlook.office365.com

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-03-02 19:50:01

those are the keys for outlook, not sure if they will map into the other office apps

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-03-02 19:52:59

im not aware of MS releasing any appconfig keys for the other office apps but i may be wrong.

Jason Bayton (jason@bayton.org)
2018-03-02 19:59:22

Tbh I think if they had we would all know about it based on the amount of noise made about the outlook app

aaron (aaron@groundctl.com)
2018-03-02 20:06:31

Since the Office apps share credentials, maybe configuring Outlook would configure them all?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-03-02 20:09:23

thats my thinking.

only thing to be aware of, is when you grant access to the outlook app via azure conditional accesses, there's no granularity of device posture recognition. users will be able to install outlook on any mobile device and use it not just a corp managed device.

Youll either need to use some kind of federated 2fa infront, or use cert auth.

👍 Woody
Simon Hardy-Bistagne (simon@smnhdy.com)
2018-03-02 20:12:56

unless of course you're using intune...

aaron (aaron@groundctl.com)
2018-03-02 20:15:35

Yes this workspace one. But really it simply a demo.

Brett Dal Santo (brett@dalsanto.com.au)
2018-03-06 08:16:58

@Brett Dal Santo has joined the channel

Amine (amine.ayad@gmail.com)
2018-03-06 19:01:22

I can’t test this right now but can anyone confirm if pushing a self-signed cert to an iOS device will remove SSL errors in Safari when browsing to the associated website?

Leon Letto (leon@letto.ca)
2018-03-06 19:01:34

@Leon Letto has joined the channel

Woody (eric.woodland@trust.tc)
2018-03-06 19:35:08

IIRC @Amine since the identity is then installed to the store/trusted, the error in Safari should be suppressed.

jafullersr (jafuller@starbucks.com)
2018-03-07 00:18:22

@Amine You may need the certificate chain for the trust issues to be mitigated. It’s not always the specific SSL cert, it’s often that the root or intermediates are unknown.

👍 Woody
Scott Flower (scottf@bridgeway.co.uk)
2018-03-07 20:49:27

@Scott Flower has joined the channel

Steve Hayton (shayton@bridgeway.co.uk)
2018-03-07 20:49:33

@Steve Hayton has joined the channel

Martin Hodgson (martinh@bridgeway.co.uk)
2018-03-07 20:49:43

@Martin Hodgson has joined the channel

JaxxUK (paul.jacka@bridgeway.co.uk)
2018-03-07 20:53:08

@JaxxUK has joined the channel

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-03-16 11:53:30

Whow... So here's a fun one for you...

I've just had a handset vendor ask me for our EMM platform tokens so they can setup a DEP portal they control and add our EMM platforms to it, rather than adding the devices to our DEP portal.

Their justification is that as they're leased devices they aren't allowed to add them to our portal.

A) That's sketch AF B) The DEP vendor has the power to remove devices they have added to any customer portal C) I lease devices from Apple today who add them to our portal

😳 Woody
Jason (jasonh@bridgeway.co.uk)
2018-03-16 12:14:30

I’ve never heard of this. Who’s the supplier?

Jason (jasonh@bridgeway.co.uk)
2018-03-16 12:15:21

(And yes, everyone else processes this in the proper manner, i.e. linking them to your DEP account)

Woody (eric.woodland@trust.tc)
2018-03-16 12:48:02

Whoa - I’m curious what Apple would have to say about that…

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-03-16 12:50:19

Wont name names on here, but they're big enough that they should know better.

I passed their request by our Apple rep and he's confirmed that this is a breach of their T&C's. Confirming that devices should be in use by the employees of the company in control of the DEP portal for many reasons, not least that you're accepting terms and conditions between the device user/operator and apple, which a 3rd party can't legally do.

😆 Woody
👀 Woody
Jason (jasonh@bridgeway.co.uk)
2018-03-16 13:00:17

Go on… name & shame!

Jason (jasonh@bridgeway.co.uk)
2018-03-16 13:00:19

😉

Jason Bayton (jason@bayton.org)
2018-03-16 13:14:50

Brightstar?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-03-16 13:17:18

Ha, no not brightstar

Jason Bayton (jason@bayton.org)
2018-03-16 13:21:24

worth a go 😛

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-03-16 15:35:19

anyone heard of an issue where a users iOS calendar events goes missing after they change timezones only to return an hour or so later?

Amine (amine.ayad@gmail.com)
2018-03-16 19:48:31

*Thread Reply:* I saw this few times with Exchange 2013 and iOS 10+. As far as I can remember, the workaround was to disable Local Time Zone from the Calendar settings.

jafullersr (jafuller@starbucks.com)
2018-03-20 18:17:57

@Simon Hardy-Bistagne Isn’t that the point of the option to disown in DEP? Once the device is out of your lease terms, the company will disown the device and allow it to go back to the vendor. Terrible approach by the handset vendor.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-03-28 14:29:11

Deploying iOS Wallpapers... Anyone aware of how we can do this well? AirWatch simply does it based on 1 Wallpaper per Org Group, and when i have multiple different screen sizes in there it doesn't work well when rendering.

jafullersr (jafuller@starbucks.com)
2018-03-31 00:04:40

Screen size isn’t always the issue. There are some iPhones now that have a higher pixel count than some of the older iPads. We go with a high-res image for the iPad standard and it seems to work for iPad and iPhone.

Jason (jasonh@bridgeway.co.uk)
2018-03-31 11:08:40

Just in case anyone’s missed it, perhaps worth mentioning that iOS 11.3 is now out and features battery health check?

👍 Woody
Jason (jasonh@bridgeway.co.uk)
2018-03-31 11:09:09

(New version of High Sierra macOS as well, includes Business Chat in (i)Messages)

Woody (eric.woodland@trust.tc)
2018-04-02 15:56:41

I had seen that 11.3 went live. Looking forward to cloud-based iMessage!

Jeremy (jeremy@bodokh.com)
2018-04-02 18:46:09

*Thread Reply:* It’s not in 11.3 but in 11.4 Beta 1 🙂

Woody (eric.woodland@trust.tc)
2018-04-02 22:01:32

*Thread Reply:* Ah, WTH! I wondered why there wasn’t any mention of it in the release notes. I thought it was a certainty in 11.3

Jeremy (jeremy@bodokh.com)
2018-04-02 22:34:46

*Thread Reply:* Well for now it’s a certainty in iOS Betas :)

👍 Woody
Woody (eric.woodland@trust.tc)
2018-04-02 16:03:32

Business chat makes sense too - Back when I owned/operated Entertainment Essentials (DJ Company) we had a dedicated iMessage account specifically to chat with customers. Nice to see a native function coming like that to iMessage.

Jason (jasonh@bridgeway.co.uk)
2018-04-02 17:56:38

Yeah, not quite - still requires integration at the back end. Been looking into this and the supported integrations are few and far between. SFDC being the more obvious one, but LivePerson and Genesys also on the list.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-04-02 17:58:58

I think it's still in beta isn't it? Only supporting a couple of us companies?

I'm sure it won't be long before remedy and service now are on there

Jason (jasonh@bridgeway.co.uk)
2018-04-02 18:05:43

You can apply, either as a potential business or as an API-integration partner.

Jason (jasonh@bridgeway.co.uk)
2018-04-02 18:06:03

Note that the service is not available outside of the US as yet.

RobE (robert.kreuzer@outlook.com)
2018-04-05 19:58:05

Has anyone been able to verify if the new killer features have found their way into the public release of 11.3? (delay updates and prevent managed contacts)

Robert R. (rr10@gmx.de)
2018-04-05 20:06:04

*Thread Reply:* Managed contact topic is in 11.3 and it’s working

RobE (robert.kreuzer@outlook.com)
2018-04-05 20:09:42

*Thread Reply:* Cool 👍:skintone2: How did you test it?

NicolasR (raison_nicolas@me.com)
2018-04-05 20:17:50

*Thread Reply:* I tested it with WhatsApp unmanaged vs managing it afterwards

RobE (robert.kreuzer@outlook.com)
2018-04-05 20:21:40

*Thread Reply:* ok but is there no setting you have to push out via MDM for that to work? Simply deploy an Exchange profile via MDM and if WhatsApp is not managed the access for Exchange contacts is blocked by default?

Woody (eric.woodland@trust.tc)
2018-04-05 21:18:52

*Thread Reply:* Managed Contact (as-in keeping your managed contacts from leaking into unmanaged apps)?

Robert R. (rr10@gmx.de)
2018-04-05 21:57:58

*Thread Reply:* In MobileIron there is a setting in iOS restrictions where you can allow/disallow data exchange between managed and unmanned content. If you restrict unmanaged access to managed data. Access is denied.

👍 Woody, RobE
RobE (robert.kreuzer@outlook.com)
2018-04-06 02:59:41

*Thread Reply:* Ah got it, thanks.

RobE (robert.kreuzer@outlook.com)
2018-04-06 07:44:16

*Thread Reply:* Do you mean: „Allow documents from managed apps to unmanaged apps“ - I thought this is only to restrict Open-In, not the access of the managed contacts for unmanaged apps.

Robert R. (rr10@gmx.de)
2018-04-06 07:55:53

*Thread Reply:* Correct this is the option

RobE (robert.kreuzer@outlook.com)
2018-04-06 07:56:31

*Thread Reply:* Ok thx

RobE (robert.kreuzer@outlook.com)
2018-04-06 09:58:55

*Thread Reply:* Is this a supervised feature?

Robert R. (rr10@gmx.de)
2018-04-06 10:59:04

*Thread Reply:* No it isn’t

RobE (robert.kreuzer@outlook.com)
2018-04-06 11:38:53

*Thread Reply:* Ok well then its not really working. Deactivated both options in the restrictions, but contacts are still visible in WhatsApp. And WhatsApp is not managed!

🤔 Woody
RobE (robert.kreuzer@outlook.com)
2018-04-06 17:12:00

*Thread Reply:* Ok tried it again with a fresh device, no chance. I think we are talking about different things. I am deploying an Exchange config into the native mail app on iOS and due to the iOS release notes it can be possible to prevent WhatsApp from accessing the contacts from the native mail client. I believe you are talking about AppConnect Apps like Email+, not the native client.

NicolasR (raison_nicolas@me.com)
2018-04-06 17:40:13

*Thread Reply:* From my testing WhatsApp worked. Are you sure you applied the Allow managed to unmanaged restriction? I’ve heard that iMessage is considered as unmanaged app... any clue or info?

RobE (robert.kreuzer@outlook.com)
2018-04-06 18:00:18

*Thread Reply:* I applied an standard MobileIron iOS restriction (Core 9.6.0.2) with the setting „Allow documents from managed apps to unmanaged apps“ unchecked. No idea if iMessage is considered unmanaged.

Robert R. (rr10@gmx.de)
2018-04-06 20:54:10

*Thread Reply:* I am talking about native iOS apps for contacts, mail, calendar etc. I also push an exchange confit to the device. Message app is something like hybrid. If I use the plus button in the to field, I get only access to unmanaged contacts. If I type the name directly in the to field it provide matches also from managed contacts.

Do you provide more then one iOS Restriction configuration to the device? As far as I know it must be only one.

Robert R. (rr10@gmx.de)
2018-04-06 20:56:52

*Thread Reply:* I have both options about managed to unmanaged and unmanaged to managed disabled

RobE (robert.kreuzer@outlook.com)
2018-04-07 16:19:39

*Thread Reply:* Solved it - that was more than strange. Complete device issue that I have never seen before! Downgraded the iPhone 5s from 11.3 to 11.2.6 and upgraded back to 11.3 - all via iTunes. After that, everything worked like you described! 🤔

RobE (robert.kreuzer@outlook.com)
2018-04-07 18:59:41

*Thread Reply:* @NicolasR you are right, it seems that the message app is considered unmanaged. This is not ideal an could be a dealbreaker for a lot of deployments. Is this known to anyone else?

RobE (robert.kreuzer@outlook.com)
2018-04-07 21:20:27

*Thread Reply:* Found the workaround for the message app problem - you are able to send a message to managed contacts from within the contacts app.

Robert R. (rr10@gmx.de)
2018-04-07 21:30:31

*Thread Reply:* Or type the name of a managed contact in the receiver field of the message app. You will get an overview of all contacts (managed and unmanaged) that mach to the name you typed.

RobE (robert.kreuzer@outlook.com)
2018-04-08 07:53:39

*Thread Reply:* Right, thats even better! Thx

NicolasR (raison_nicolas@me.com)
2018-04-08 21:57:00

*Thread Reply:* So what is not available from iMessage app?

Russell Mohr (rmohr@mobileiron.com)
2018-04-10 15:15:39

*Thread Reply:* Deferred updates made it in, and works.

✅ Woody
websterba (websterba@gmail.com)
2018-04-11 16:13:16

@websterba has joined the channel

fridomac (fridomac@googlemail.com)
2018-04-13 17:26:49

@fridomac has joined the channel

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-04-13 19:58:47

Anyone ever had much luck with shared mailboxes on mobile?

I don't want shared credentials....

Woody (eric.woodland@trust.tc)
2018-04-13 20:52:53

Yes, using CBA @Simon Hardy-Bistagne

Woody (eric.woodland@trust.tc)
2018-04-13 20:55:55

Downside is that you can’t have two mailboxes going to the same URL in iOS. So you have to get creative on what URL to send that second mailbox to.

Woody (eric.woodland@trust.tc)
2018-04-13 20:56:26

Now, if it’s just a singular shared mailbox on one device… you’ll have no issues

Woody (eric.woodland@trust.tc)
2018-04-13 21:00:51

In terms of the credential for the mailbox… you create a SCEP config with the UPN hard-coded. Then tie that to the Exchange configuration and send out…

👍:skin_tone_2: Simon Hardy-Bistagne, RobE
Simon Hardy-Bistagne (simon@smnhdy.com)
2018-04-13 21:24:38

*Thread Reply:* Yes I think this will work, I was hoping to get something a bit more Accountable to the user, but I think that's just the limitations we have to work with. We also have the volume limit this way with it being a max of 100 devices connected in this way

👍 Woody
Woody (eric.woodland@trust.tc)
2018-04-13 21:42:14

*Thread Reply:* Yeah, it’s not pretty but it does do the trick

Woody (eric.woodland@trust.tc)
2018-04-13 21:42:42

*Thread Reply:* It’s better than AAs running around with their Executive’s mailbox loaded to their personal phone (unmanaged)

RobE (robert.kreuzer@outlook.com)
2018-05-07 18:10:19

*Thread Reply:* And that is supported? 😂

Woody (eric.woodland@trust.tc)
2018-05-07 20:32:09

*Thread Reply:* Yeah Rob, it’s just a cert/Exchange profile being sent down. Supported from a technology perspective, anyways.

Simon Elberts - FONDO. (simonelberts@gmail.com)
2018-04-18 22:17:07

@Simon Elberts - FONDO. has joined the channel

Tobias (tobias.gruenewald@ebf.com)
2018-04-19 15:00:18

Went back to iOS managed app configuration for Outlook. Core 9.7 allows to override managed app config pulled from appconfig.org with a .plist file so I did just that as the XML on appconfig.org still includes the typo I initially created. Result: Creating an Exchange account pointing to a MobileIron Sentry works, but when the mail address is an actual O365 user, Outlook detects that and just transforms the account into a direct O365 connection with modern auth. Interesting detail. @Russell Mohr how can we fix the XML at the appconfig.org repository?

aaron (aaron@groundctl.com)
2018-04-19 15:30:27

@Tobias could this “detail” be used to automatically configure O365 with modern auth then?

aaron (aaron@groundctl.com)
2018-04-19 15:30:54

Because I thought the Outlook AppConfig was only for legacy auth. This discovery could be quite big.

👍:skin_tone_2: Simon Hardy-Bistagne, Jason
Woody (eric.woodland@trust.tc)
2018-04-19 15:47:45

On that note - Does Core now search for and pull managed configuration configurations from AppConfig.org?

Woody (eric.woodland@trust.tc)
2018-04-19 15:48:29

I noticed it populated a Managed App Config Key/Value pair field for Mobile@Work, but not for a couple others I imported

Tobias (tobias.gruenewald@ebf.com)
2018-04-19 17:00:07

As far as I know Core pulls every managed app config from the appconfig.org repo if the bundle ID matches. The Salesforce App for example has one. You can verify if a config exists by checking the URL https://d2e3kgnhdeg083.cloudfront.net/<app-buindle-id>/current/appconfig.xml Do you have an example for an app where it does not work?

👍 Woody, NicolasR
Tobias (tobias.gruenewald@ebf.com)
2018-04-19 17:03:52

@aaron Well, it allows to configure the mail address/user ID. The account showed up as "Exchange" account in Outlook. After entering the user's password he suddenly was redirected to our ADFS and after authenticating there the "Exchange" account was gone and only an "O365" account remained. I do not think that this is a good user experience. Will test tomorrow with a setup to directly configure O365.

aaron (aaron@groundctl.com)
2018-04-19 17:07:25

In our case we have SSO using SAML and Workspace One. So if there is a way to assign the mail address/user ID, then the rest could be automatic… Fingers crossed.

jafullersr (jafuller@starbucks.com)
2018-04-19 17:13:54

@aaron I’m very interested in your results. 🙂

aaron (aaron@groundctl.com)
2018-04-19 19:15:32

@Tobias no luck here yet. But I just noticed that you were entering the user password first, then it redirected you? Well that’s no SSO….

Russell Mohr (rmohr@mobileiron.com)
2018-04-19 21:34:00

@Tobias can you send me the full corrected version? I’m told there are also some supplemental parameters coming from another source at Mobileiron. Where was the exact error again?

} Tobias Gruenewald (https://mobilxperts.slack.com/team/U7LNFG81F)
Russell Mohr (rmohr@mobileiron.com)
2018-04-19 21:34:28

Also you can just email it to me…

aaron (aaron@groundctl.com)
2018-04-19 22:38:59

@Russell Mohr there seems to be an extra space in one of the parameters… ><string keyName=“com.microsoft.outlook.EmailProfile.EmailAddress “>

Russell Mohr (rmohr@mobileiron.com)
2018-04-19 22:40:21

Thanks @aaron. @Tobias if you can still email over full “golden” XML file it will make life easier for a certain person named Russ

😆 Woody, NicolasR
Tobias (tobias.gruenewald@ebf.com)
2018-04-20 08:54:38

@Russell Mohr you've got 📧

👍 Woody, Russell Mohr, NicolasR
Russell Mohr (rmohr@mobileiron.com)
2018-04-20 16:44:05

I’ll follow up when I have some news. Thanks @Tobias

Tobias (tobias.gruenewald@ebf.com)
2018-04-23 16:17:02

Today I configured an "Exchange" account to the iOS Outlook app using "outlook.office365.com" as server name. The behavior is the same as before. You need to enter a password (cannot be set through AppConfig) which is completely ignored as soon as Outlook detects the mail address as being O365 hosted. It switches to modern auth and redirects to the IdP (here ADFS).

So preconfiguring Outlook for iOS with managed app config is really just for on-prem Exchange (as the MS article states).

} Tobias Gruenewald (https://mobilxperts.slack.com/team/U7LNFG81F)
aaron (aaron@groundctl.com)
2018-04-23 16:40:06

Wow @Tobias I will test!

jafullersr (jafuller@starbucks.com)
2018-04-23 17:42:35

Just ran through this and you’re correct. Outlook is pushing us through modern auth and our own IdP. We have a CASB, but I can’t tell if it’s still in use with this pattern. I’m hoping to drill into this too.

jafullersr (jafuller@starbucks.com)
2018-04-27 02:17:17

Hello, does anyone have a good, clear approach to pre-loading videos onto devices en masse?

Russell Mohr (rmohr@mobileiron.com)
2018-04-27 15:20:55

@Tobias @aaron corrected Outlook appconfig app queued up for deployment. I’ll let you know when it goes live. Thanks for testing and confirming the MS docs are correct (on prem Exchange only)

👍 RobE
Russell Mohr (rmohr@mobileiron.com)
2018-04-27 15:21:56

@aaron you would probably know best around @jafullersr’s question on preloading content…

aaron (aaron@groundctl.com)
2018-04-27 17:53:25

@jafullersr sure thing. Ping me if you have a chance.

Ankur Acharya (ankuracharya@gmail.com)
2018-04-28 03:47:04

@Ankur Acharya has joined the channel

aaron (aaron@groundctl.com)
2018-05-02 23:02:27

Apple stopped signing iOS 11.3, so only iOS 11.3.1 can be installed. Except I thought MDM’s can target specific iOS version to install within a 90-day window. How’s that going to work now? 😕

🤔 Woody, Jason, Russell Mohr
RobE (robert.kreuzer@outlook.com)
2018-05-07 18:12:22

*Thread Reply:* Not target a specific iOS version, but delay the installed version which does need to be signed!

Woody (eric.woodland@trust.tc)
2018-05-03 15:21:25

I’d suppose this is kind of a unique scenario, but does kind of make you wonder what they will do going forward.

aaron (aaron@groundctl.com)
2018-05-03 15:28:13

Apple’s MDM Protocol Reference includes this new web service to identify which iOS versions are available. But it hasn’t been updated in weeks. It shows 11.3, but not 11.3.1. Obviously wrong. No wonder the MDMs aren’t really supporting 11.3 yet.

aaron (aaron@groundctl.com)
2018-05-03 15:29:44

@aaron uploaded a file: image.png

2018-05-03 15:33:13

A file was commented on

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-05-05 07:52:40

Fun fact. Apple DEP fails to authenticate if your user password has a special "non English" character in it... We've had it with Norwegian charactors. This week.

onires53 (jason.r.serino@gmail.com)
2018-05-11 01:36:53

*Thread Reply:* Thanks @Simon Hardy-Bistagne. Didnt realize this.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-05-11 08:10:54

*Thread Reply:* Been raised as a big to apple. Will see what happens.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-05-08 08:14:44

Folks I have a strange one for you.

We have a user who's calendar dissapaears when they've landed from a flight that's passed into a new timezone.

Their calendar comes back and hour or so later but everything we've done doesn't seem to resolve, even down to refreshing the phone.

Has anyone seen activity like this before?

jafullersr (jafuller@starbucks.com)
2018-05-08 16:45:21

*Thread Reply:* Can you provide a bit more detail on the device, OS, timezone (from/to) and calendar backend platform? I haven’t heard of this, but it is intriguing.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-05-08 17:06:18

*Thread Reply:* So, iPhone (follows her from iPhone 7, through to now her X).

Native iOS mail client.

Backend is Office 365, and device is 11.3 and 11.2

Doesn't effect her iPad.

Timezone change is any to any.

jafullersr (jafuller@starbucks.com)
2018-05-08 17:07:39

*Thread Reply:* Wow, that is odd. Do you have access to O365 tenant settings?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-05-08 17:08:06

*Thread Reply:* Sure do.

Can't see anything out of the norm on her end.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-05-08 17:09:42

*Thread Reply:* Origionally thought it was a corrupt calendar, as it followed her to new devices but she always did a device restore to set the new one up.

But set her a fresh device up, no restore, and when she landed lately, it worked fine... until she connected to wifi and the calendar wiped.

jafullersr (jafuller@starbucks.com)
2018-05-08 17:28:48

*Thread Reply:* dang

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-05-08 17:29:24

*Thread Reply:* Yeah... it’s a mind bender... that’s for sure

jafullersr (jafuller@starbucks.com)
2018-05-08 22:12:06

*Thread Reply:* I can’t find anything that would be the cause for this sort of thing. Worst case, recreate the mailbox?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-05-09 11:26:23

*Thread Reply:* I think we've found the issue...

Seems this exec has been entirely disabling location services on her device. I think this has been playing games with the timezone changes and potentially the agent compliance checks.

Strange it's only effecting the calendar and not other items, but enabling location setting seems to have resolved for the moment.

Jason Bayton (jason@bayton.org)
2018-05-12 23:39:53

@here Google have asked me to put together battlecards to provide to partners as part of their increasing focus on enabling Android in the enterprise. I'm looking for assistance/volunteers to help me out on the iOS side please. Focusing on: management, security, flexibility and more (for DEP there's zero-touch, for VPP there's BPP, for work profile there's managed apps, etc.)

👍:skin_tone_2: Simon Hardy-Bistagne
Jason Bayton (jason@bayton.org)
2018-05-12 23:45:49

*Thread Reply:* I can reasonably tackle the Android enterprise side of this, but I want to remain objective and obviously I have a natural bias, as would those focusing primarily on iOS.

When Google mentioned it going to partners (EMMs, ISVs, etc) I thought this would be a great opportunity to 1) provide a factual comparison and 2) highlight the level(ish) playing ground both OS' are fighting on.

If anyone would like to get involved I'll share more details 🙂 I want to turn this around quite quickly. No financials involved, I volunteered to help the ecosystem as I've done with the rest of my docs.

Amine (amine.ayad@gmail.com)
2018-05-13 21:08:15

*Thread Reply:* Count me in :-)

Jason Bayton (jason@bayton.org)
2018-05-13 21:31:04

*Thread Reply:* Perfect, I'll get what I've got so far "shareable" and ping you.

Jeremy (jeremy@bodokh.com)
2018-05-14 10:11:27

*Thread Reply:* I can also help ;)

Preetham Guram (spurtipreetham.g@gmail.com)
2018-05-15 17:08:30

*Thread Reply:* I worked on something similar while at Apple for education space during Apple School Manager days. If there is something I can do to help. I would love to.

aaron (aaron@groundctl.com)
2018-05-22 12:27:34

Apple System Status shows VPP issues since yesterday. Is anyone having problems?

aaron (aaron@groundctl.com)
2018-05-22 12:27:41
Simon Hardy-Bistagne (simon@smnhdy.com)
2018-05-22 12:31:16

Don't use it here I'm afraid

Woody (eric.woodland@trust.tc)
2018-05-22 13:58:59

Love their verbosity in the description of the issue. Good luck users, whoever you are. It might work. Then again, it may not 🤖

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-05-22 13:59:35

I dont think anyone has ever accused apple of being overly transparent!

😆 Woody
Woody (eric.woodland@trust.tc)
2018-05-22 14:11:57

True, @Simon Hardy-Bistagne

NicolasR (raison_nicolas@me.com)
2018-05-22 14:24:14

I hate when customers take bad decisions... One of them decided to remove the iOS managed apps restrictions for documents open-in since iOS 11.3 adds the contacts to this restriction.

NicolasR (raison_nicolas@me.com)
2018-05-22 14:24:18

🤦‍♂️

NicolasR (raison_nicolas@me.com)
2018-05-22 14:24:38

Users won because they want to access to Corp contacts in WhatsApp

NicolasR (raison_nicolas@me.com)
2018-05-22 14:25:48

Just opened a radar to ask Apple to create separate restriction for contacts and documents. 4179277

Woody (eric.woodland@trust.tc)
2018-05-22 14:32:17

Oh, wow @NicolasR

Woody (eric.woodland@trust.tc)
2018-05-22 14:33:04

Sounds like shadow IT is taking over on that front. Perhaps the customer should consider providing a decent communication suite.

NicolasR (raison_nicolas@me.com)
2018-05-22 14:51:03

They have “allowed” officially users to use Signal... (whisper systems)

NicolasR (raison_nicolas@me.com)
2018-05-22 14:51:10

This is not enough

Fabian (mobilxperts@neokortex.de)
2018-05-26 22:18:14

I‘ld prefer Apple to also provide restrictions for unmanaged Calendar access. Calendars contain much more confidential information than contacts...

Does your customer know GDPR? ;-) That might be an expensive risk to take :)

NicolasR (raison_nicolas@me.com)
2018-05-28 16:04:13

I know... we already communicated about GDPR!... that’s completely a non sense...

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-05-28 16:23:58

Gdpr??

What's that... Never heard of it....

😄 NicolasR, Woody
Fabian (mobilxperts@neokortex.de)
2018-05-28 21:49:41

They could make WhatsApp managed and setup a data privacy contract with Facebook. I dont know whether someone ever tried that :D

😂 NicolasR
Simon Hardy-Bistagne (simon@smnhdy.com)
2018-05-30 19:00:49

So, iOS 11.4 has dropped.

Always fun to watch the uptake as it goes across the estate!

Woody (eric.woodland@trust.tc)
2018-05-30 19:34:25

Haha

Woody (eric.woodland@trust.tc)
2018-05-30 19:34:44

I went ahead and updated - Wanted to see how Messages in the Cloud would play out.

Preetham Guram (spurtipreetham.g@gmail.com)
2018-05-30 19:45:15

Did any of you try stereo with two HomePods with AirPlay 2?

Jeremy (jeremy@bodokh.com)
2018-05-30 19:50:23

And iOS 11.4.1 Beta has just dropped

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-05-30 19:51:12

500 users on 11.4 and counting...

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-05-30 19:51:34

(24 users still on 7.1 but we dont talk about those)

😆 Woody
Woody (eric.woodland@trust.tc)
2018-05-30 20:01:28

7.1 - Wow. Those people who just don’t leave the stone age…

Woody (eric.woodland@trust.tc)
2018-05-30 20:02:04

@Preetham Guram I’m actually more pumped about being able to use AirPlay 2 with my Sonos units in the house.

👍:skin_tone_2: Jay
Preetham Guram (spurtipreetham.g@gmail.com)
2018-05-30 20:07:56

Right. I forgot about that. Do share your experience.

Woody (eric.woodland@trust.tc)
2018-05-30 20:17:58

They’ve been doing their homework with the betas, as they announced that Sonos One, Play:5 and Playbase would all be compatible. I’ll keep you posted

Woody (eric.woodland@trust.tc)
2018-05-30 20:18:50

The cool part is that you can AirPlay 2 to any of those units, then group legacy speakers to play through them as well.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-05-30 20:21:19

Yeah... i've been sending out threatening emails lately as they'll be coming off the platform in a few weeks.

I have people on 8.x who's devices support 11.4.... no excuses so i'll be getting the stick out soon.

Woody (eric.woodland@trust.tc)
2018-05-30 20:31:17

Boo, Giphy doesn’t have much in terms of “Beat into Compliance”

🤣 Jason
Daniel Harris (daniel.harris@okta.com)
2018-05-31 16:59:24

@Daniel Harris has joined the channel

NicolasR (raison_nicolas@me.com)
2018-06-04 15:55:01

Hello @here did you ever saw that behavior?

  • On a MDM managed WiFi configuration -- Adding a proxy to this configuration works perfectly -- Removing the proxy from this config doesn't work, the proxy stay configured even if the profile says "no proxy"
NicolasR (raison_nicolas@me.com)
2018-06-04 15:55:09

iOS 11.3 & iOS 11.4

Luc (luc.rames@digitaldimension.fr)
2018-06-04 15:55:32

nop

NicolasR (raison_nicolas@me.com)
2018-06-04 16:13:52

same behavior with Apple Configurator + a manual profile

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-06-04 16:23:16

Not seen that no.

Tried removing then reinstalling the profile rather than just update?

NicolasR (raison_nicolas@me.com)
2018-06-04 16:23:33

Removing and re-installing the profile works

NicolasR (raison_nicolas@me.com)
2018-06-04 16:23:39

but there is end-user impact 🙂

NicolasR (raison_nicolas@me.com)
2018-06-04 16:24:06

Submitting bug report to Apple 😆

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-06-04 16:24:40

Install 2.0 profile them remove original??

Yes report to apple is a good shot... Sounds like a bug.

NicolasR (raison_nicolas@me.com)
2018-06-04 16:25:37

Also tested the second profile installation and removing the first one, same behavior

👍 SebastienP
NicolasR (raison_nicolas@me.com)
2018-06-04 16:34:21

Tycho (tycho@schenkeveld.com)
2018-06-06 17:03:05

Maybe it's better to report it on apple's bugreporter as I don't think they officially monitor openradar. https://bugreport.apple.com/web/

NicolasR (raison_nicolas@me.com)
2018-06-07 20:08:22

*Thread Reply:* Openradar is only to show to the community which are the open radar while Apple doesn’t provide any access to bugs reported.

Jack Madden (jackalexandermadden@gmail.com)
2018-06-08 19:59:22

@Jack Madden has joined the channel

Preetham Guram (spurtipreetham.g@gmail.com)
2018-06-12 06:39:17

I had the privilege to work on this 3 years ago.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-06-12 12:18:17

is anyone having issues with DEP enrolment today?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-06-12 12:19:22

i have a number of users reporting hanging at the "deployment" window

aaron (aaron@groundctl.com)
2018-06-12 12:51:09

Shocking.

aaron (aaron@groundctl.com)
2018-06-12 12:53:45

@Simon Hardy-Bistagne you can’t get past setup assistant on devices? Or can’t view the online DEP portal?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-06-12 12:56:18

just had a couple of users reporting issues around downloadin the config from the dep server

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-06-12 12:57:08

and then getting error'd out

aaron (aaron@groundctl.com)
2018-06-12 12:58:03

The DEP process is split into two parts: Apple and your MDM. The Apple part is just after the WiFi screen. If they are prompted for User ID and Password, and THEN it is failing, then it’s your MDM that’s not doing it’s thing.

aaron (aaron@groundctl.com)
2018-06-12 12:59:18

That “Apple Part” tells the device (a) which setup screens to skip and (b) the MDM enrollment URL to use after the setup screens.

👍:skin_tone_3: Preetham Guram, Woody
Simon Hardy-Bistagne (simon@smnhdy.com)
2018-06-12 13:06:24

Yep, that's as I understood it to work.

This is all before any engagement with the MDM. So during the download of the dep config from Apple.

jafullersr (jafuller@starbucks.com)
2018-06-12 15:58:53

We haven’t heard of any issues with our devices this morning. All of our corporate issued iOS devices are in DEP.

Preetham Guram (spurtipreetham.g@gmail.com)
2018-06-12 16:00:55

I didn’t see any issues with DEP either.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-06-12 16:02:28

fair enough...

Alex Mercer (alexandra.e.mercer@gmail.com)
2018-06-12 22:06:23

@Alex Mercer has joined the channel

Woody (eric.woodland@trust.tc)
2018-06-13 06:22:15

Anyone know if DEP under business manager will possess the ability to support modern auth?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-06-13 06:30:00

Nope

aaron (aaron@groundctl.com)
2018-06-13 10:38:11

Not going to happen in iOS 12

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-06-13 10:55:41

The Intune way around this is to skip user auth until the agent install which just makes my head hurt...

👍 NicolasR
Simon Walker (simon.walker@uk.ibm.com)
2018-06-13 16:22:35

@Simon Walker has joined the channel

NicolasR (raison_nicolas@me.com)
2018-06-13 17:36:12

about this MS Article: https://docs.microsoft.com/en-us/intune/data-transfer-between-apps-manage-ios#configure-user-upn-setting-for-third-party-emm

Which App bundle ID should I assign to the managed appconfig?

docs.microsoft.com
Mark Vonk (mark.vonk@dahvo.com)
2018-06-14 08:22:03

Depends on which apps you would like to manage. What is your use-case?

NicolasR (raison_nicolas@me.com)
2018-06-14 08:54:07

All the o365 apps (Word, Excel, PPT, OneDrive, teams and others)

  • MS authenticator

The use case is to prevent documents open-in to non corporate accounts such as Dropbox within the office apps

Mark Vonk (mark.vonk@dahvo.com)
2018-06-14 09:31:07

You do not need to have the Bundle IDs for this, at least if you are using a MDM or Intune itself. What are you using?

Mark Vonk (mark.vonk@dahvo.com)
2018-06-14 09:44:00

Here are the bundle IDs that MobileIron sees as Intune SDK apps:

Mark Vonk (mark.vonk@dahvo.com)
2018-06-14 09:45:06

Wasn't able to get a simple list. But in the JSON, search for the app you need and then the "appIdentifier"

NicolasR (raison_nicolas@me.com)
2018-06-14 12:57:43

Hi @Mark Vonk not sure you sent me the right file

NicolasR (raison_nicolas@me.com)
2018-06-14 12:58:08

When I deploy a managed app config I need to specify which managed app will receive this configuration plist

NicolasR (raison_nicolas@me.com)
2018-06-14 12:59:09

If I understand the doc provided correctly I can send this Plist to the app

NicolasR (raison_nicolas@me.com)
2018-06-14 12:59:10

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>IntuneMAMUPN</key> <string>$USER_UPN$</string> </dict> </plist>

Mark Vonk (mark.vonk@dahvo.com)
2018-06-14 13:01:29

Hi @NicolasR: that will not work. You can't send the configurations using a appconfig. You will need to use Intune or the Graph API (or a MDM that can target the Graph API). Only with these, can you send the proprietary Microsoft configuration to these apps. A managed app config does not allow you to change that kind of settings (DLP settings in Intune SDK apps)

NicolasR (raison_nicolas@me.com)
2018-06-14 13:04:34

Solution: Deploy iOS managed app configuration to Office 365 apps

In iOS 7, Apple introduced managed app configuration. This configuration allows an administrator to remotely configure and populate app settings for managed apps on managed devices. Managed app configurations follow a standardized format and do not require proprietary SDKs or app wrappers.

Microsoft Office apps support iOS managed app configurations such as “IntuneMAMUPN,” which allows the MobileIron administrator to set up the Office 365 work account in each Microsoft app. When Microsoft apps are deployed with IntuneMAMUPN, attachments opened from a managed app into Microsoft apps are treated as work documents. For example, an attachment opened from a managed iOS native email account into a Microsoft app can only be saved into the Office 365 work account specified by the managed app configuration. To learn more about deploying IntuneMAMUPN, see Microsoft’s documentation here.

Mark Vonk (mark.vonk@dahvo.com)
2018-06-14 13:07:54

They do support it to have the UPN set. But you will still need Intune or use of the Graph api to actually set the DLP settings.

Mark Vonk (mark.vonk@dahvo.com)
2018-06-14 13:08:19

So, you can use the managed app config to have MobileIron populate the app with the users' UPN

Mark Vonk (mark.vonk@dahvo.com)
2018-06-14 13:09:01

But that UPN must still be known in Azure AD and for that user in Azure, there must be some configuration configured for Intune SDK apps

Mark Vonk (mark.vonk@dahvo.com)
2018-06-14 13:10:17

ie. you can't configure DLP settings in Intune SDK apps, without an Intune license and Intune app configurations or an MDM that uses the Graph API to configure those app configurations for you.

Mark Vonk (mark.vonk@dahvo.com)
2018-06-14 13:16:09

HMMM hold on... not so sure about this...

Mark Vonk (mark.vonk@dahvo.com)
2018-06-14 13:26:44

This document is very unclear: https://docs.microsoft.com/en-us/intune/data-transfer-between-apps-manage-ios#configure-user-upn-setting-for-third-party-emm. I do not know what to make of it; if Intune app protection policies are needed for this or not.

docs.microsoft.com
Mark Vonk (mark.vonk@dahvo.com)
2018-06-14 13:30:22

But you can always try by just sending the PLIST. It seems like the app (Word for example) will respect managed vs unmanaged Open In on iOS. In the JSON i have sent before, all Microsoft and 3rd party apps that should be able to use it are listed (https://www.microsoft.com/en-us/cloud-platform/microsoft-intune-apps). It's in JSON format, so you need to search for the App you need and there it will have the App Bundle ID.

Microsoft Cloud-Platform - US (English)
NicolasR (raison_nicolas@me.com)
2018-06-14 16:00:40

Thanks!

Adam Case (ajcase@us.ibm.com)
2018-06-15 16:13:03

@Adam Case has joined the channel

andrea (andrea@groundctl.com)
2018-06-20 16:35:39

@andrea has joined the channel

Woody (eric.woodland@trust.tc)
2018-06-21 04:41:34

@here Anyone know if a way to determine what URLs an iOS app is calling? Trying to troubleshoot the Workspace ONE client. Unfortunately, the console of the device doesn’t show enough to go on.

Woody (eric.woodland@trust.tc)
2018-06-21 06:18:02

*Thread Reply:* Update: Was able to engage the frustration shake and pull logs from within the app. Apparently WS1 is doing some sort of lookup on my device and redirecting me to an AirWatch tenant that’s not actually mine.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-06-21 11:11:40

*Thread Reply:* Nice!

jafullersr (jafuller@starbucks.com)
2018-06-21 16:59:55

*Thread Reply:* Wow.

Woody (eric.woodland@trust.tc)
2018-06-21 17:30:50

*Thread Reply:* Yeah! Kind of interesting. I sent the details over to their team and anxiously await more detail as to how the internal flow of that function works

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-06-21 17:33:02

*Thread Reply:* So is it going to an actual other AW instance or just an unknown URL?

jafullersr (jafuller@starbucks.com)
2018-06-21 17:34:10

*Thread Reply:* I’m having a hard time understanding how that could happen. That is nuts.

Woody (eric.woodland@trust.tc)
2018-06-21 17:37:39

*Thread Reply:* Well, this WS1 tenant was switched back and forth between a couple AW instances. I think it may have gotten mixed-up in the shuffle

Woody (eric.woodland@trust.tc)
2018-06-21 17:38:10

*Thread Reply:* I kind of understood WS1 would use the OD name to lookup the AW tenant… and I think that may be where the wheels came off

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-06-21 17:38:23

*Thread Reply:* Senility seeing in with AirWatch hey!

Woody (eric.woodland@trust.tc)
2018-06-21 17:55:57

*Thread Reply:* 😆

Alex Mercer (alexandra.e.mercer@gmail.com)
2018-06-28 00:58:14

*Thread Reply:* plug in xCode and hit Go.

Alex Mercer (alexandra.e.mercer@gmail.com)
2018-06-28 00:58:16

*Thread Reply:* 😉

onires53 (jason.r.serino@gmail.com)
2018-06-21 18:39:39

Has anyone updated to the new Apple Business Manager portal? If so, any issues with the EMM DEP or VPP integrations during the migration?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-06-21 18:40:38

*Thread Reply:* Not yet... But want to hear the answer from anyone who has!

Our apple reps have all told us there will be no issues...

jafullersr (jafuller@starbucks.com)
2018-06-21 19:05:53

*Thread Reply:* We migrated DEP. Working on VPP. DEP migration was touchy. They said we didn’t need to recreate the DEP tokens, but we did. So, there’s that.

jafullersr (jafuller@starbucks.com)
2018-06-21 19:07:00

*Thread Reply:* No device issues though.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-06-21 19:10:21

*Thread Reply:* Eww recreating the tokens...

onires53 (jason.r.serino@gmail.com)
2018-06-21 19:37:29

*Thread Reply:* We talked with Apple as well and they said the same thing to us: would be no issues.

Definitely want to upgrade.

jafullersr (jafuller@starbucks.com)
2018-06-21 19:56:20

*Thread Reply:* Already having the default EMM endpoint based off of device type has helped us immensely.

👍 Woody
jafullersr (jafuller@starbucks.com)
2018-06-21 19:56:52

*Thread Reply:* Token re-creation was really just like a renewal.

jafullersr (jafuller@starbucks.com)
2018-06-21 19:57:05

*Thread Reply:* Not super bad, but not expected either.

Woody (eric.woodland@trust.tc)
2018-06-21 20:59:22

*Thread Reply:* Default EMM Endpoint, as in iPad goes here, iPhone goes there @jafullersr?

aaron (aaron@groundctl.com)
2018-06-21 23:31:50

*Thread Reply:* Not much risk in token recreation. Devices already have profiles assigned... but with VPP there is more risk. Good luck!

👍 Woody
jafullersr (jafuller@starbucks.com)
2018-06-25 21:13:03

*Thread Reply:* Yes, we set specific endpoints for specific devices due to purpose built configurations. @Woody So far it’s been working great.

👏 Woody
:the_horns: Woody
✅ Woody
onires53 (jason.r.serino@gmail.com)
2018-06-26 14:58:36

*Thread Reply:* I appreciate all the feedback. @jafullersr what was touchy about the DEP migration other than the recreation of the DEP tokens?

Russell Mohr (rmohr@mobileiron.com)
2018-06-27 03:08:43

*Thread Reply:* I had no issues

Russell Mohr (rmohr@mobileiron.com)
2018-06-27 03:08:53

*Thread Reply:* I migrated a DEP account with 20 tokens

Russell Mohr (rmohr@mobileiron.com)
2018-06-27 03:08:58

*Thread Reply:* all continued to function

Russell Mohr (rmohr@mobileiron.com)
2018-06-27 03:09:56

*Thread Reply:* VPP sToken for the program agent (first DEP admin) was also migrated when I enabled VPP

Russell Mohr (rmohr@mobileiron.com)
2018-06-27 03:11:00

*Thread Reply:* I do see issues with other existing VPP sTokens created by other admins in my domain though.. You can point them to a “Location” in ABM but I don’t believe they are really added to the ABM portal

Russell Mohr (rmohr@mobileiron.com)
2018-06-27 03:11:22

*Thread Reply:* Or at least, the other tokens aren’t reflected in the license totals for all of my VPP tokens

macbentosh (benbergthold@gmail.com)
2018-06-22 01:10:40

How can we let Mobileiron use outlook?

Woody (eric.woodland@trust.tc)
2018-06-22 02:28:02

You mean how can you deploy Outlook for use only by managed devices? For use with on premise or O365 mailboxes?

macbentosh (benbergthold@gmail.com)
2018-06-22 04:38:30

Our users want to use the outlook app with mi and on On prem exchange

Woody (eric.woodland@trust.tc)
2018-06-22 06:01:19

@macbentosh are you using Sentry? If yes, does that imply that you’d like to use the Outlook app with ActiveSync or perhaps EWS through Tunnel, etc?

macbentosh (benbergthold@gmail.com)
2018-06-22 06:13:47

Yea

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-06-22 18:27:38

Do you have any frosted identity provider (ping eg?)

We've done this with AirWatch and ping so that only enrolled devices get access to outlook mobile app.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-06-22 18:27:50

Federated**

jafullersr (jafuller@starbucks.com)
2018-06-25 21:25:50

@Simon Hardy-Bistagne Can you describe a bit more on how you tied them together? I want to do this.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-06-25 21:46:52

*Thread Reply:* So... We have ping infront of office365 carrying out the authentication.

Ping has a connector into Airwatch so that as a part of its policy you can set that the device accessing must show as compliant in Airwatch.

The rest of the ping rule is written so that any mobile device accessing office 365 via the outlook mobile app must be compliant within Airwatch.

Of course the rule only applys to mobile traffic not desktop.

This allows us to basically allow an office 365 conditional access rule to all mobile devices using outlook mobile, but only ones Airwatch say are compliant will get through.

Just one thing to consider, ping does device ID via certificate so you will need a pki setup deploying certificates.

✅ Woody
jafullersr (jafuller@starbucks.com)
2018-06-26 16:06:31

*Thread Reply:* Thanks @Simon Hardy-Bistagne

Woody (eric.woodland@trust.tc)
2018-06-26 16:27:25

*Thread Reply:* Nice explanation, @Simon Hardy-Bistagne!

Damian (support@expertmobilite.com)
2018-08-09 19:38:04

*Thread Reply:* We do something similar except that we also do mobileSSO via ViDM so no passwords to worry about!

Damian (support@expertmobilite.com)
2018-08-09 19:38:29

*Thread Reply:* @Woody you remember our in-depth discussions on that ! 😆

Woody (eric.woodland@trust.tc)
2018-08-09 20:03:55

*Thread Reply:* Oh yes @Damian! I’m all about that haha

Woody (eric.woodland@trust.tc)
2018-08-09 20:04:15

*Thread Reply:* Doing lots of it with WS1/AirWatch (and now MI Access)

Damian (support@expertmobilite.com)
2018-08-09 20:08:01

*Thread Reply:* Good to hear man - exciting times with IDM and mobility!

:the_horns: Woody
Matthew Shaver (mshaver@us.ibm.com)
2018-07-03 17:07:51

@Matthew Shaver has joined the channel

Gerben Camp (gcamp@mobileiron.com)
2018-07-04 22:08:06

@Gerben Camp has joined the channel

Raul (rnadal@mobileiron.com)
2018-07-08 14:11:37

@Raul has joined the channel

NicolasR (raison_nicolas@me.com)
2018-07-10 15:38:45

Hello @here Does anyone knows what Apple means by "improves the reliability of syncing mail, contacts, and notes with Exchange accounts." in iOS 11.4.1 release notes?

Jason (jasonh@bridgeway.co.uk)
2018-07-10 15:41:34

They fixed a bug?

👏 Woody
Jason (jasonh@bridgeway.co.uk)
2018-07-10 15:41:40

🙂

Woody (eric.woodland@trust.tc)
2018-07-10 15:42:52

That’s my guess. Err on the side of fixing something that wasn’t working right, as opposed to introducing some new feature in a .1 release

Matthew Shaver (mshaver@us.ibm.com)
2018-07-10 15:46:19

The security notes for 11.4.1 don’t list anything specific so it’s likely just some functional tweaks, maybe around some recent updates with Activesync ’16

👍 Woody
NicolasR (raison_nicolas@me.com)
2018-07-10 15:46:35

hum ok

NicolasR (raison_nicolas@me.com)
2018-07-10 15:46:37

thanks

Woody (eric.woodland@trust.tc)
2018-07-10 15:48:08

Any particular issue you were hoping it would correct, @NicolasR?

NicolasR (raison_nicolas@me.com)
2018-07-10 15:48:43

Having issues with a customer and Exchange 2013 CU 19 but we don't know if it's device side issue or MobileIron issue...

👍 Woody
NicolasR (raison_nicolas@me.com)
2018-07-10 15:48:50

(or other...)

NicolasR (raison_nicolas@me.com)
2018-07-10 15:49:05

still investigating...

Mark Vonk (mark.vonk@dahvo.com)
2018-07-10 18:45:56

We have some cases where activesync was not reliable, especially new mail notifications. Basically the ActiveSync ping (to keep the session alive) was not occurring when the mail app was not active. This seems, so far, fixed in 11.4.1

👍 NicolasR
NicolasR (raison_nicolas@me.com)
2018-07-10 22:06:51

Thanks! Not the issue I have obviously

dmilesau (darryl_miles@hotmail.com)
2018-07-11 09:54:09

@dmilesau has joined the channel

Steffen Schwab (sschwab@mobileiron.com)
2018-07-16 14:56:48

@Steffen Schwab has joined the channel

Ash Armitt (ashleyarmitt@gmail.com)
2018-07-18 06:28:45

@Ash Armitt has joined the channel

Russell Mohr (rmohr@mobileiron.com)
2018-07-18 15:43:15
Russell Mohr (rmohr@mobileiron.com)
2018-07-18 15:43:35

Interested in peoples experiences with Apple Business Manager so far

Russell Mohr (rmohr@mobileiron.com)
2018-07-18 15:43:50

especially with multiple VPP tokens in the organization

Matthew Shaver (mshaver@us.ibm.com)
2018-07-18 15:49:41

Transition seems smoother than when they pushed EDU clients over to ASM, so no hiccups there. Honestly haven’t heard of any clients taking advantage of the newest of features, most seem to just treat it as a new UI, do the transfer over, then forget about it

👍 NicolasR, dmilesau, Russell Mohr
jafullersr (jafuller@starbucks.com)
2018-07-23 19:24:50

We’re off-loading apps that are no longer in use or have a purpose to a “parking lot” VPP token which would move it off of our production VPP token and clear it from visibility in the EMM. We also use the device specific routing for specific enrollment end-points which is a huge help for us over straight DEP.

👍 Woody
👍:skin_tone_3: Preetham Guram, Jay
👋 Russell Mohr
aaron (aaron@groundctl.com)
2018-07-23 19:25:33

Brilliant.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-07-23 19:37:23

Great idea.

NicolasR (raison_nicolas@me.com)
2018-07-24 09:17:43

Calendar app will be in managed open-in restrictions with iOS 12 🙂

👍 Jason Bayton, Woody
😮 Russell Mohr
NicolasR (raison_nicolas@me.com)
2018-07-24 09:17:56

no release notes about this, it's an info from Apple directly

pvin2011 (pvin2011@yahoo.com)
2018-08-01 02:48:43

@pvin2011 has joined the channel

Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-08-03 08:51:25

@Alex Chappuis has joined the channel

NicolasR (raison_nicolas@me.com)
2018-08-09 18:40:03

About managed open in "Apple has confirmed that this the intended behavior for the Contacts app in iOS 11.3, but has added new restrictions for iOS 12 beta 6+ to permit the older behavior at administrator discretion"

NicolasR (raison_nicolas@me.com)
2018-08-09 18:41:31

<key>allowManagedToWriteUnmanagedContacts</key> <true/> <key>allowUnmanagedToReadManagedContacts</key> <true/>

NicolasR (raison_nicolas@me.com)
2018-08-09 18:41:58

Good news they allow to distinguish read and write!!

🔥 Matthew Shaver, RobE
👍 Alex Chappuis, Woody, Mark Vonk, RobE
Matthew Shaver (mshaver@us.ibm.com)
2018-08-10 14:57:21

@NicolasR in their confirmation of this, did you happen to find any accompanying documentation in the dev pages or otherwise?

NicolasR (raison_nicolas@me.com)
2018-08-10 23:28:01

This was an announcement from MobileIron but sure you’ll be able to find something in the profile reference that includes iOS 12

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2018-08-15 06:53:40

@Wolfgang Bauer has joined the channel

onires53 (jason.r.serino@gmail.com)
2018-08-15 19:57:46

@aaron We have a need to be able to pull the iOS image off of some devices that are in Apple DEP. We use MobileIron, and in our Apple DEP Profile, we have disallowed pairing. However, we created a Pairing certificate in Apple Configurator on our Mac, and added that to the DEP profile. I assumed that this would allow us to pair a device with a computer which had this certificate. We are unable to get the device which has the DEP profile with the pairing certificate paired with the laptop. Any ideas?

jereme (jereme.haden@gmail.com)
2018-08-15 20:09:42

@jereme has joined the channel

aaron (aaron@groundctl.com)
2018-08-15 20:45:45

Hey @onires53 — Did you add that pairing certificate (aka “Supervision Identity”) after those iOS devices were already set up? If so it won’t have an effect. DEP does its thing ONLY during initial setup.

aaron (aaron@groundctl.com)
2018-08-15 20:46:07

So the DEP profile settings that were in effect when you set up the device will stick with the device until you erase it.

aaron (aaron@groundctl.com)
2018-08-15 20:46:52

My suggestion: use iCloud to back up (I know…), erase the devices with the new DEP settings, restore from iCloud, and then back them up.

onires53 (jason.r.serino@gmail.com)
2018-08-15 21:05:17

Thanks @aaron. We are 99.9999% sure that the phone was deployed after the pairing certificate was added the the DEP profile. We tried with another device as well and got the same error. I'm wondering if we setup the pairing certificate incorrectly.

aaron (aaron@groundctl.com)
2018-08-15 21:21:51

Maybe move this to a private chat?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-08-17 09:11:23

gmail gsuite, iOS mail, mfa...

Do i really have to manually generate an app password to use iOS mail?

Jay (jay@project-xy.com)
2018-08-17 10:18:06

From my recent experience it was mixed. One device setup gmail from gsuite with no issues…. other device it just wouldnt setup and went through the whole App password config and then back to the device to start setup again.. and bingo1

Mark Vonk (mark.vonk@dahvo.com)
2018-08-20 08:28:47

@Matthew Shaver @NicolasR Contact app behaviour restrictions are now part of the Apple configuration profile reference: https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf Page 73

👍:skin_tone_2: Jay, Matthew Shaver, Woody, NicolasR
AJ (ajorgensen@mobileiron.com)
2018-08-22 11:05:14

@AJ has joined the channel

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-08-23 11:49:06

Has anyone had any luck deploying wallpaper to a supervised device using a custom profile?

aaron (aaron@groundctl.com)
2018-08-23 11:51:40

@Simon Hardy-Bistagne Wallpaper can not be distributed by configuration profile. It is a direct MDM command instead. I don’t know why Apple chose to implement it this way.

aaron (aaron@groundctl.com)
2018-08-23 11:52:37

The only thing a config profile can do is PREVENT users from changing the wallpaper, and only on supervised devices.

aaron (aaron@groundctl.com)
2018-08-23 11:52:56

MDM can set wallpaper (again only for supervised devices). The implementation depends on the MDM.

aaron (aaron@groundctl.com)
2018-08-23 11:53:17

(GroundControl can set wallpaper too.)

aaron (aaron@groundctl.com)
2018-08-23 11:53:57

I think it would have been more appropriate to set wallpaper via config profile, much like how icon arrangement is set.

Jay (jay@project-xy.com)
2018-08-23 11:55:15

EMM’s can also set the icon placement as well (I know MaaS can do this)

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-08-23 17:45:29

Thanks Aaron! Thought so but that's life.

jafullersr (jafuller@starbucks.com)
2018-08-23 18:20:54

Has anyone found a way to restrict or manage widgets in iOS?

jafullersr (jafuller@starbucks.com)
2018-08-23 18:22:01

By default we want to keep that pane on the device clear of widgets. The user of the device may add some, but from the get go, we would like it to be clear of widgets.

Jay (jay@project-xy.com)
2018-08-23 18:34:48

I may be wrong but I’m not aware of any Mdm controls for the widgets. I know for example you can remove the news one if you disallow the use of news in application policies. Widgets have an extension of .widget and perhaps some has found a way to block them?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-08-23 18:36:27

I've not tried it... But I did hear that the widgets actually carry a separate app id, and can be white listed and black listed using that if, while keeping the app it's self untouched

aaron (aaron@groundctl.com)
2018-08-23 21:15:57

@jafullersr GroundControl can manage them using a master backup. Remove the widgets from the master and we will copy that to devices. That’s assuming it is these sorts of corporate devices.

jafullersr (jafuller@starbucks.com)
2018-08-23 21:19:02

I know that they’re signed extensions, but they’re not deployed independently from the application. So, I don’t believe there is the ability to white/blacklist them as they’re not specific apps running, they’re signed, trusted extensions of the main app. @aaron, I wish it were such for our deployment model that we could restore, but that isn’t in the cards at this point. Great solution for my use case though.

👍:skin_tone_3: aaron, Woody
RobE (robert.kreuzer@outlook.com)
2018-08-28 09:15:53

Hey guys, will a restore from an unsupervised backup (iTunes or iCloud) break the DEP supervision? How is the official procedure to restore a backup for DEP devices? I know there has been a way with a second device. Can‘t find anything official with Apple on this.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-08-28 09:17:57

If it is a restore of that same device, and it wasn't originally a DEP supervised device, they it will restore as unsupervised.

If is a new DEP device, being restored from a backup from a different device, then it will continue to be supervised correctly.

Jason Bayton (jason@bayton.org)
2018-08-28 09:19:02

AFAIK you still can't restore from iTunes in DEP if it was unsupervised at time of backup

RobE (robert.kreuzer@outlook.com)
2018-08-28 09:21:36

Ah ok, which is not so bad, right? because having users breaking the supervision with a restore is not the goal.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-08-28 09:23:59

Exactly.

The only time I've ever really found this to be an issue is where either;

A) a carrier has been adding device to our DEP portal and they've not been assigned to our mdm server before the user has activated it

B) we have done a historical addition by asking our carrier to add all iOS devices we've bought in the last 7 years to the portal.

Net new devices which are dispatched as DEP it's not a problem

RobE (robert.kreuzer@outlook.com)
2018-08-28 09:30:24

Well we have a lot of customers which have never used DEP (nor manual supervision via AC2) so all the backups are from unsupervised non-DEP devices. The new devices will be supervised DEP devices of course, but this always brings up the question: how can I restore my data? iCloud backups are not welcome, so if there is no way with iTunes the answer will be pretty straight forward.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-08-28 09:34:20

Yeah it's always a fun question.

Our config is simply to allow iCloud backups, but with AirWatch we block corporate apps/data from backing up to iCloud so it's really just he personal data, and app meta data being backed up.

Gives a good balance.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-08-28 09:35:29

The biggest problem we had with iCloud backups was that people used personal iTunes accounts (which isn't an issue) however that then locked the deivce to them if they left the comany.... OF course, DEP solves this.

RobE (robert.kreuzer@outlook.com)
2018-08-28 09:48:08

Thanks for the input. 😊

Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-08-30 07:02:45

You may also recommend other software like "iMazing" which does a good job! Best practice = don't recommend iTunes or iCloud restore on supervised devices

🙏 RobE
RobE (robert.kreuzer@outlook.com)
2018-08-30 20:12:18

*Thread Reply:* That iMazing sounds good. Gotta give it a try! Thanks 👍:skintone2:

aaron (aaron@groundctl.com)
2018-08-30 15:06:11

I second iMazing.

RobE (robert.kreuzer@outlook.com)
2018-08-31 06:39:25

*Thread Reply:* How do you mean?

aaron (aaron@groundctl.com)
2018-08-31 09:26:54

*Thread Reply:* I mean I recommend it also.

Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-08-30 15:47:09

There used to be an official statement from Apple (about DEP) by the way:

👍 RobE
Jason Bayton (jason@bayton.org)
2018-08-30 15:51:18

Tenuously related, Apple are starting to call it "device enrolment" going forward and dropping DEP. Apparently DEP is offensive in German? 😅 Confirmed by an apple guy on a call yesterday

RobE (robert.kreuzer@outlook.com)
2018-08-30 20:13:44

As long as you don‘t call the apple guy DEP(P) you are safe Jason! 😂

Matthew Shaver (mshaver@us.ibm.com)
2018-08-31 15:17:31

I’ll be damned

😆 Woody, RobE
Jason Bayton (jason@bayton.org)
2018-08-31 15:23:47

"Do you guys have DEP there?" "A few actually, but what about mobile devices?"

😂 RobE
Matthew Shaver (mshaver@us.ibm.com)
2018-08-31 15:28:47

ba-dum-tssss

Matthew Shaver (mshaver@us.ibm.com)
2018-08-31 15:31:47

I think Apple is just tired of creating products that can so easily be mispronounced - iPhone Ex OS Ex Depp

😀 RobE
Tycho (tycho@schenkeveld.com)
2018-08-31 15:49:47

But if you stop using abbreviations because they mean something rude in one country you can pretty much ban all of them. For example in China even number 4 is viewed as unlucky but they didn't skip iOS (or iPhone) 4 🙂 But anyway.. Device Enrolment it is 🙂 Thanks for the heads-up!

Woody (eric.woodland@trust.tc)
2018-08-31 16:03:02

That is hilarious, @Matthew Shaver

jafullersr (jafuller@starbucks.com)
2018-09-04 16:00:43

Next one is iPhone Xs. Yes, as in excess.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-09-04 16:01:46

I see it... I always think clothing sizes.... I don't think it will be extra small though... The price tag sure as hell won't be.

😆 jafullersr, Jay, Jason, Tycho, Woody
💰 Jay
Tycho (tycho@schenkeveld.com)
2018-09-04 20:03:52

I thought XS was strange too... But this is from the company that thought iPad was a good name 🤣

Jeremy (jeremy@bodokh.com)
2018-09-05 15:25:22

I’m helping someone setup some iPad as kiosk with a website. Do you recommend to use Safari as the browser or have another app?

Jeremy (jeremy@bodokh.com)
2018-09-05 15:25:31

I need to lock the iPad to a single website and I’m not sure that Safari is the best way to do it.

Jeremy (jeremy@bodokh.com)
2018-09-05 15:28:02

Can I lock the iPad using a webclip?

aaron (aaron@groundctl.com)
2018-09-05 15:47:10

@Jeremy You can lock down Safari if the iPad is supervised. A web clip will help if you set it up as “Full Screen” (i.e. there won’t be an address bar). In addition use Apple Configurator to add a “Content Filter” to allow “Specific Websites Only”

aaron (aaron@groundctl.com)
2018-09-05 15:47:36

You may also want to add restrictions to turn off autofill.

Jeremy (jeremy@bodokh.com)
2018-09-05 15:47:38

That”s what I thought 😉 I can lock down to the webclip correct ?

aaron (aaron@groundctl.com)
2018-09-05 15:47:51

Not really

Jeremy (jeremy@bodokh.com)
2018-09-05 15:48:04

So I have to lockdown to Safari + Restriction ?

Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-09-05 15:48:10

Hi Jeremy, Safari is working nicely with the single app mode. You can also add a web filter so that only 1 website can be opened. It will even show in the safari sidebar (like bookmarks). Using a webclip will not lock the iPad. You have to define a single app mode policy and also the web filtering profile.

👍 Woody
aaron (aaron@groundctl.com)
2018-09-05 15:48:22

Yes. There’s no way to do single app mode on a web clip. Only Safari.

👍 Woody
Jeremy (jeremy@bodokh.com)
2018-09-05 15:48:36

Thanks

Makmuri (katarina.makmuri@gmail.com)
2018-09-12 02:00:16

@Makmuri has joined the channel

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-09-13 12:25:51

Migrating supervised iOS devices from one EMM platform to another.... GO....!

Mark Vonk (mark.vonk@dahvo.com)
2018-09-13 12:26:37

.... perform a factory reset... GO!

😆 Woody
Jay (jay@project-xy.com)
2018-09-13 12:27:37

Ooooh.... so can you tell which platforms and are you using a migration tool?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-09-13 12:29:20

Yeah... I'm hoping that the nuclear option isn't the only one, and that there is some obscure other way to do it...

I'm looking at a migration platform called EBF Onboarder... but it's more of a logical management of the tasks and accounts... the end user still needs to carry out some work on their end (although limited)

Jay (jay@project-xy.com)
2018-09-13 12:29:40

I did wonder if it was EBF

Jay (jay@project-xy.com)
2018-09-13 12:29:59

Have you looked at Wave from Digital Dimension as well?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-09-13 12:30:32

not yet

Jay (jay@project-xy.com)
2018-09-13 12:30:39

http://mobility.digitaldimension.solutions/en/emm-migration/

mobility.digitaldimension.solutions
Mark Vonk (mark.vonk@dahvo.com)
2018-09-13 12:32:16

I do not see any other way than to "factory reset" it. The device needs to pick up the fact that it's tied to another MDM and be supervised by the other MDM. Only happens during the "activation" prior to the Setup Assistant. Migration tools focus on making the process more user friendly, but the steps are, in the end, all the same.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-09-13 12:33:11

agreed, for those who are already under DEP/supervised... a reset is the only option

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-09-13 12:33:44

although an icloud backup and restore would be most useful i think

aaron (aaron@groundctl.com)
2018-09-13 13:49:03

@Simon Hardy-Bistagne there are other ways. A DEP device can be unenrolled (retired) by the MDM, even if the profile is “unremovable”.

aaron (aaron@groundctl.com)
2018-09-13 13:49:21

You can then install an enrollment config profile for the new MDM.

aaron (aaron@groundctl.com)
2018-09-13 13:49:36

The new profile will, however, be removable by the end user.

aaron (aaron@groundctl.com)
2018-09-13 13:50:07

If the devices are supervised and if you happen to have a supervision identity handy, this can be done via USB without user interaction.

aaron (aaron@groundctl.com)
2018-09-13 13:50:31

But it can also be done over the air, as long as the user taps on the screen in the right order.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-09-13 13:52:21

Yes, this was what i was thinking. DEP for us its more around secure enforced enrolment rather than actually using the supervised rules...

I'm running some tests around running enterprise wipes, user unenrolling etc and then manually enrolling into intune.

aaron (aaron@groundctl.com)
2018-09-13 13:52:45

Yes, that’s it

aaron (aaron@groundctl.com)
2018-09-13 13:53:44

At some point you’ll switch the devices from one MDM to the other in Apple’s DEP portal/Apple Business Manager. But you know this has no effect unless the device is reset.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-09-13 13:54:31

Exactly...

aaron (aaron@groundctl.com)
2018-09-13 13:54:53

Maybe GroundControl can be helpful? By plugging in a device, we can send the retire API command to the old MDM, then install the enrollment profile into InTune.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-09-13 13:54:54

If we plan on actually mking thr change then we'll just repoint the DEP to the right MDM, and move the serials over

NicolasR (raison_nicolas@me.com)
2018-09-13 17:22:10

did anyone tested the "allowUnmanagedToReadManagedContacts" key value pair in iOS 12?

Tycho (tycho@schenkeveld.com)
2018-09-15 13:09:25

*Thread Reply:* Yes it unfortunately works for us 🙂 Because I don't see my corp contacts in Whatsapp

Tycho (tycho@schenkeveld.com)
2018-09-15 13:11:01

*Thread Reply:* And I created a lot of personal contacts in the corp address book by mistake because it doesn't give you the choice or remind you when you create them.. It just picks the 'default' that's buried in settings and resets every time you re-enroll. DOH

NicolasR (raison_nicolas@me.com)
2018-09-15 13:24:33

*Thread Reply:* This doesn’t work then as this should allow to see contacts in WhatsApp

Tycho (tycho@schenkeveld.com)
2018-09-16 11:20:05

*Thread Reply:* Oh yeah sorry, good point! But I don't know whether we had the key set or not. I assume not as our Intune test config is quite restrictive. We also disallow third party keyboards.

I was assuming the key you mentioned was a restriction key. I'll check it tomorrow!

NicolasR (raison_nicolas@me.com)
2018-09-16 12:53:36

*Thread Reply:* This key is new and surely intune has not this in the UI. You need to add it manually through plist file

Tycho (tycho@schenkeveld.com)
2018-09-17 14:25:27

*Thread Reply:* I can do that!

Matthew Shaver (mshaver@us.ibm.com)
2018-09-13 17:33:05

We have a ticket with Apple, it’s not working correctly

Matthew Shaver (mshaver@us.ibm.com)
2018-09-13 17:33:31

It **appears that it’s not working correctly, I should say

Damian (support@expertmobilite.com)
2018-09-13 17:34:23

Same here

Damian (support@expertmobilite.com)
2018-09-13 17:34:37

We tested with custom keys on iOS 12 beta

Damian (support@expertmobilite.com)
2018-09-13 17:34:45

We’re on AirWatch

Damian (support@expertmobilite.com)
2018-09-13 17:35:10

It’s possible from beta 6 onwards

NicolasR (raison_nicolas@me.com)
2018-09-13 18:25:57

Tested on iOS 12 GM, works on supervised device but the restrictions is not shown in the restrictions menu in Settings > General > MDM profile

NicolasR (raison_nicolas@me.com)
2018-09-13 18:26:28

Non supervised doesn’t work but WHY THE FUCK WE NEED SUPERVISION FOR THIS???

😬 Alex Chappuis
jafullersr (jafuller@starbucks.com)
2018-09-13 18:50:15

All iOS corporate owned will soon be supervised. It’s how they’re segmenting BYO from Corp.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-09-13 18:52:23

^this.. is why I hate intune... No ability to select ownership at enrolment and defaulting to byo...

Countries where DEP isnt available means I can't catagorise devices correctly...

RageFace

Matthew Shaver (mshaver@us.ibm.com)
2018-09-13 19:05:36

THere are two new policy features for the contact export - one is Supervised the other is not I believe

Matthew Shaver (mshaver@us.ibm.com)
2018-09-13 19:07:43

But it looks like their documentation for implementation was not correct, and that could be part of it

Matthew Shaver (mshaver@us.ibm.com)
2018-09-13 19:07:55

When we have more information on our Apple ticket, I’ll update

NicolasR (raison_nicolas@me.com)
2018-09-13 19:35:37

Yes I know that Apple separates BYO / CORP devices through supervision but this feature is not a risk for user privacy. It’s the opposite ! It’s only a risk for corporate data

jafullersr (jafuller@starbucks.com)
2018-09-13 19:49:32

It’s inherently disabled, correct? So you really only need the setting if you want to enable unmanaged apps access to contacts?

Matthew Shaver (mshaver@us.ibm.com)
2018-09-13 19:55:20

There is AllowManagedtoWriteUnmanagedContacts - This should be non-supervised and allow managed apps to push contacts to unmanaged apps.

AllowUnmanagedToReadManagedContacts would allow the unmanaged app to read contacts from a managed app - this is Supervised only, but this property is null if the former is set to True.

What’s new and different is that these payloads have a note that states: A payload that sets this to True must be installed via MDM. I’ve never seen that note in a payload before

NicolasR (raison_nicolas@me.com)
2018-09-13 20:07:26

Indeed... but again I don’t understand why this is for supervised only...

Matthew Shaver (mshaver@us.ibm.com)
2018-09-13 20:09:59

I think the latter is supervised just because it allows an unmanaged app to read from a managed app, whereas the former is a managed app pushing data out. Just a guess though

Matthew Shaver (mshaver@us.ibm.com)
2018-09-14 05:12:45

Anyone know the app ID for the “Measure” App

Woody (eric.woodland@trust.tc)
2018-09-14 05:15:48

@Matthew Shaver Looks like com.apple.measure, based on this: https://github.com/joeblau/apple-bundle-identifiers

GitHub
Matthew Shaver (mshaver@us.ibm.com)
2018-09-14 05:17:57

Thanks! keeping my fingers crossed this is correct. It follows the same naming convention as their others, so it’s a safe bet

Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-09-14 07:01:51

Hi, we tested AllowManagedtoWriteUnmanagedContacts and AllowUnmanagedToReadManagedContacts for a Swiss customer with all use cases, also in combination to "allow from unmanaged to managed and vice-versa". Everything works as documented (and also on a supervised device). For email+ (as an example) we still have to keep in mind that the unmanaged data is not deleted automatically when the app is removed. The user has to clean the contacts from Email+ or manually.

NicolasR (raison_nicolas@me.com)
2018-09-14 21:24:18

From Apple case: Nicolas,

I have gotten confirmation that supervision should not play any role in the “allowUnmanagedToReadManagedContacts” from working. That said, we are tracking a few other unexpected behaviors that may be applicable. Let me know if your deployment meets any of the conditions below:

1) No applicable native Mail account is configured via MDM because users are using a 3rd party for their business email.

2) Are you also pushing other ManagedOpenIn restrictions? We have found that when Managed Open In restrictions are enabled on a device and the allowManagedToWriteUnmanagedContacts restriction is set to True managed apps are still unable to write to the local Contacts storage.

If your experiences match these conditions, our Product Engineering team is working on resolving this behavior. If you are reporting something different, we should get on a call to discuss this further.

I would also be open to a call early next week to discuss in general as well if you have any further questions or concerns.

Let me know.

Thank you, Daniel Morris Platform Support Engineering

👍 Damian
Woody (eric.woodland@trust.tc)
2018-09-14 21:25:57

Curious, has anyone used the Cert-Based AppConfig in the Salesforce app?

Woody (eric.woodland@trust.tc)
2018-09-14 21:26:23

Does that only fly if your Salesforce tenant accepts CBA as a form of auth?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-09-17 14:03:57

So.... 1st to a 1,000 iOS12 devices wins a prize?

😆 Woody
aaron (aaron@groundctl.com)
2018-09-17 14:05:23

I’m in.

Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-09-17 14:45:10

#MeToo 🙂 across all our customers?

Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-09-17 14:46:45

Other question: we're struggling with MobileIron since more than 6 months to troubleshoot the Send Activation Lock Bypass code feature (Since Core 9.6.0.2 and iOS 10.x) - with DEP devices - the feature does not seem to be reliable with MobileIron. Do you have the same issue? I tested today Core 10.0.0.3 and iOS 12 and the Code is not shown at all in the admin Portal.... quite annoying for customers!

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-09-17 14:47:39

Can't comment on MI... but why not disable it from the start?

Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-09-17 14:48:54

I mean : the iOS device is locked with Find my Iphone and it's supervised + DEP and the Activation "unlock" can be sent from the EMM normally. I heard some rumours that Apple is just telling to customers that MobileIron is not really compatible with this feature

Matthew Shaver (mshaver@us.ibm.com)
2018-09-17 14:49:09

We’ve seen some unreliable behavior on the manual codes. We have yet to be able to reproduce, but we get client reports that the codes don’t work in any scenario on occasion (not on MI, mind you) so I think that maybe there have just been hit or miss issues with the apple activation servers that handle this info

👍 Alex Chappuis, Jay
Mark Vonk (mark.vonk@dahvo.com)
2018-09-17 15:07:51

This is actually a known issue at Mobileiron. Should be fixed in Core 10.1

👍 Alex Chappuis, NicolasR, Woody
aaron (aaron@groundctl.com)
2018-09-17 15:23:50

PSA: If you want to defer software update for 90 days on supervised devices running 11.3+, you can do it even if your MDM doesn’t expose the feature. Distribute this config profile to your devices: http://static.groundctl.com/assets/Defer_Software_Updates_90_Days.mobileconfig

👍:skin_tone_2: Simon Hardy-Bistagne, Woody
Damian (support@expertmobilite.com)
2018-09-17 15:56:45

On another note, does anyone here know how often iOS checks the App Store for updates when this setting is checked? Haven’t been able to find any info on this and I find that it doesn’t seem to happen very often. Maybe it’s because I’m a serial manual updater 🤔

Matthew Shaver (mshaver@us.ibm.com)
2018-09-17 17:08:20

I don’t think they publish this data, but if I had to guess, I’d say once every 24 hours, which is why you always see multiple apps updating at the same time.

Tycho (tycho@schenkeveld.com)
2018-09-17 18:19:38

So it's out!

Tycho (tycho@schenkeveld.com)
2018-09-17 18:19:53

At least in some regions

aaron (aaron@groundctl.com)
2018-09-17 18:20:43

Build 16A366 is the same as the GM Build.

Tycho (tycho@schenkeveld.com)
2018-09-17 18:20:53

Ah that's why I'm not seeing any update myself

Tycho (tycho@schenkeveld.com)
2018-09-17 18:20:56

But I hear from others that they do

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-09-17 18:21:43

Yep... just checked my iPad here in France and it’s picking it up...

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-09-17 18:21:51

Let the fun.... commence!

👍 Tycho, Jay
Tycho (tycho@schenkeveld.com)
2018-09-17 18:50:49

And we have the first one! 🙂

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-09-17 18:52:47

If it’s your own one it doesn’t count ;)

Tycho (tycho@schenkeveld.com)
2018-09-17 18:53:07

No it's not, I was already on the beta. Or is it your iPad?

Damian (support@expertmobilite.com)
2018-09-17 20:53:31

The GM is essentially the one they end up rolling out barring any major issues within a 24 hr period. I got it yesterday and I have no update notification on my device

aaron (aaron@groundctl.com)
2018-09-18 16:30:29

We’ll be at 1,000 later today.

👍 Woody
Simon Hardy-Bistagne (simon@smnhdy.com)
2018-09-18 18:08:39

24 hours down, 1,330 device updated

👍 Woody, Tycho, Alex Chappuis
Simon Hardy-Bistagne (simon@smnhdy.com)
2018-09-18 18:09:14

My finger keeps hovering over that button which forces the update...!!

Matthew Shaver (mshaver@us.ibm.com)
2018-09-18 18:11:44

We’re up to 9,100 on 12 so far. Surprising amount folks still on 11.0.1 for some reason

👍:skin_tone_2: Simon Hardy-Bistagne, Jay
👍 Woody, Jay
aaron (aaron@groundctl.com)
2018-09-18 22:43:56

Damn

jafullersr (jafuller@starbucks.com)
2018-09-18 23:13:44

I see 12.1 showing up now too. Thank you Public Beta.

aaron (aaron@groundctl.com)
2018-09-18 23:16:10

Our lady of perpetual beta.

Jay (jay@project-xy.com)
2018-09-18 23:32:28

Indeed... looks like Group FaceTime beta is back

👍 Woody, Jason
RobE (robert.kreuzer@outlook.com)
2018-09-19 15:08:33

Has anyone else an issue with iOS12 devices not showing the IMEI - on the device it is visible, but not via Intune which causes a problem with the corporate identifiers.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-09-19 15:13:57

I'm looking now and can see the IMEI for existing devices which updated.

I've not got any i can check for new enrolments already on iOS122 though.

RobE (robert.kreuzer@outlook.com)
2018-09-19 15:14:57

Ok thanks

Mark Vonk (mark.vonk@dahvo.com)
2018-09-19 15:26:24

IMEI or device ID?

jafullersr (jafuller@starbucks.com)
2018-09-19 17:20:00

I believe handling of UDID has changed, but you’d need to confirm that with Apple. for those who haven’t seen it: https://help.apple.com/deployment/mdm/

RobE (robert.kreuzer@outlook.com)
2018-09-19 18:02:58

IMEI.. predeclared devices with Config Mgr and Intune seems to have problems. Working on it with MS

jafullersr (jafuller@starbucks.com)
2018-09-19 18:57:56

Bummer.

RobE (robert.kreuzer@outlook.com)
2018-09-20 20:19:02

Guys, anything on the radar for bluetooth caller id to work without the contacts being synced into the native contacts?

Matthew Shaver (mshaver@us.ibm.com)
2018-09-20 20:27:05

*Thread Reply:* I believe this is tied to a feature called callkit. It was made for VOIP apps, but as I understand it other apps can use it’s code to display contacts for incoming calls

Mark Vonk (mark.vonk@dahvo.com)
2018-09-21 06:53:09

*Thread Reply:* If the app is using CallKit, you can enable it using Settings / Phone / Call Blocking & Identification. If your app supports it, you can allow it here to provide the Caller ID.

RobE (robert.kreuzer@outlook.com)
2018-09-21 11:19:13

*Thread Reply:* So basically what you are saying is that the caller id resolution should work when connected to car via Bluetooth using iOS Email+? Because Email+ uses the callkit!

Mark Vonk (mark.vonk@dahvo.com)
2018-09-21 11:44:40

*Thread Reply:* Yes; when you enable the Email+ app to be used for identification, and you receive a phone call, the contacts in Email+ will be used to identify the caller ID. But there are some limitations; maybe you car only copies the contacts and shows only contacts copied for example.

RobE (robert.kreuzer@outlook.com)
2018-09-21 12:34:47

*Thread Reply:* Yeah well no clue but caller id resolution definitely does not work when connected to car Bluetooth

Mark Vonk (mark.vonk@dahvo.com)
2018-09-21 12:38:55

*Thread Reply:* Does it work at all? So without BT and a connected car?

RobE (robert.kreuzer@outlook.com)
2018-09-21 13:12:17

*Thread Reply:* It works on the phone, but not on the car display while connected! 😊

Mark Vonk (mark.vonk@dahvo.com)
2018-09-21 14:20:05

*Thread Reply:* Ok, so it's really a matter of how the car interacts with the device. It probably just copies the local contacts (native contacts app) and uses those for the caller ID. Not much you can do about that. Maybe talk to the car manufacturer... or buy a car with CarPlay 🙂

😁 RobE
Simon Hardy-Bistagne (simon@smnhdy.com)
2018-09-21 12:45:10

Dinners anyone else get continuing issues with Apple dep services recurving the"invalid profile" error??

We seem to get more and more recently.

Matthew Shaver (mshaver@us.ibm.com)
2018-09-21 13:25:28

We’ve noticed a significant increase in reports over the last year or so. A restore via iTunes usually resolves it, but leaves me wondering if there are communication issues between the device and activation servers. It never happens on DEP devices enrolled via Apple Config, only over-the-air

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-09-21 13:28:30

Yes we've seen a significant increase over the last year.

There seems to be a relationship between the carrier they're on and the number of issues (eg we have more users on Rodgers in Canadian and orange in France reporting issues and almost none on at&t in the US which has a larger user base).

I've raised this one with Apple... But glad it's not just me...

Our resolution is a dfu restore as a normal restore doesn't seem to get it up and running again.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-09-21 13:38:38

Anyone having trouble with users enrolling any of the new iPhones?

RobE (robert.kreuzer@outlook.com)
2018-09-21 13:40:04

Yeah we have faced the transport known issue with iOS12

Matthew Shaver (mshaver@us.ibm.com)
2018-09-24 15:26:07

Have any of you fine folks come across any odd “managed to unmanaged” behavior since updating to iOS12? Specifically around calendars this time

Woody (eric.woodland@trust.tc)
2018-09-24 15:41:28

Not yet. Happy to try and reproduce 😉

Matthew Shaver (mshaver@us.ibm.com)
2018-09-24 15:45:42

I’m working on it now, but I’ll lay it out here so others can try: With iOS 11.3.x while restricting managed app to unmanaged app sharing, the contact share broke, but Calendars in an email account configured to the iOS mail agent could still be “read” by an unmanaged app. It seems that is no longer the case with iOS 12. I’m testing to see if the new contacts restrictions will “fix” calendars as well, or if Apple has cut off another feature

Mark Vonk (mark.vonk@dahvo.com)
2018-09-24 17:34:20

*Thread Reply:* What app did you test this with?

Matthew Shaver (mshaver@us.ibm.com)
2018-09-24 17:35:42

*Thread Reply:* We tested this with oCal

Mark Vonk (mark.vonk@dahvo.com)
2018-09-24 19:28:29

*Thread Reply:* I can't find an app with that name, maybe not available in my store (country). However tried some other apps (calendar widgets) and those still seem to be able to get the managed calendar info.

Matthew Shaver (mshaver@us.ibm.com)
2018-09-24 19:30:47

*Thread Reply:* Thanks for testing Mark!

Mark Vonk (mark.vonk@dahvo.com)
2018-09-24 19:31:33

*Thread Reply:* This is with MobileIron as MDM. Restriction set for Managed to Unmanaged. Weird issue!

Mark Vonk (mark.vonk@dahvo.com)
2018-10-09 16:17:30

*Thread Reply:* Funny thing, I am getting customer feedback that it's not working anymore also.

Mark Vonk (mark.vonk@dahvo.com)
2018-10-09 16:19:56

*Thread Reply:* For example, this app has a FAQ item on it: https://weekcalendar.zendesk.com/hc/en-us/articles/360016079071-Exchange-Calendar-Invisible-iOS12-MDM

WeekCal
Woody (eric.woodland@trust.tc)
2018-09-24 16:41:40

Curious - Anyone ever notice how if you enable Automatic Reply AND update your response message at the same time… iOS will only keep the the fact that you turned on Automatic Reply? It totally discards the new response until you enable, exit and then add. I think its been this way for me since… iOS 10 or so?

aaron (aaron@groundctl.com)
2018-09-25 12:46:01

Hey all. @Russell Mohr and @Jack Madden and I recorded a podcast about iOS 12 from an enterprise point of view. I hope you enjoy. https://www.brianmadden.com/podcast/Aaron-Freimark-and-Russ-Mohr-talk-iOS-12-BrianMaddencom-Podcast-136

brianmadden.com
🍾 Russell Mohr
Jack Madden (jackalexandermadden@gmail.com)
2018-09-25 19:13:45

*Thread Reply:* I re-listened to the whole thing last night—It’s pretty good 🙂

🙂 aaron, Woody, Russell Mohr
Mark Vonk (mark.vonk@dahvo.com)
2018-10-04 10:14:46

@here is anyone seeing and getting reports on iOS 12 and Exchange ActiveSync issues (ActiveSync reset, slow of no sync at all)?

Tycho (tycho@schenkeveld.com)
2018-10-04 10:15:08

Nope not seen this

Tycho (tycho@schenkeveld.com)
2018-10-04 10:15:29

And we did have many issues with ActiveSync last year with iOS 11. However we do use O365 not on-prem Exchange

Mark Vonk (mark.vonk@dahvo.com)
2018-10-04 10:17:08

I am seeing it myself on Exchange Online, but also customer(s) reporting issues. Might not be related, but just wanted to check. Thanks @Tycho

NicolasR (raison_nicolas@me.com)
2018-10-04 11:04:50

Nope

jafullersr (jafuller@starbucks.com)
2018-10-04 15:58:35

No issues to report here either.

Woody (eric.woodland@trust.tc)
2018-10-04 18:17:15

@Mark Vonk any particular version of EAS?

Mark Vonk (mark.vonk@dahvo.com)
2018-10-04 19:35:29

Exchange online and on—premises 2013

Woody (eric.woodland@trust.tc)
2018-10-04 19:44:21

Okay. I’ve been using iOS 12 w/ Exchange Online (O365) for awhile with no issues. However, I’m using the OAuth approach not EAS.

Woody (eric.woodland@trust.tc)
2018-10-04 19:44:56

I believe @Jonathan Henson is running plenty of iOS 12 w/ On-Prem EAS 2013

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-10-04 19:47:00

Eol here with a few thousand iOS 12 devices. Actuvesync rather than oauth for the profiles and no issues reported.

Jonathan Henson (jon@1fixpc.com)
2018-10-04 19:51:16

We haven't had any issues reported with EAS on iOS 12 devices from Exchange 2013. With that said, a few individuals were unable to create their initial EAS association after being migrated from a previous version to Exchange to Exchange 2013. Those few users needed to have 'inherit permissions' checked on the account to allow for the initial EAS association to be created.

👍 Woody
Jason (jasonh@bridgeway.co.uk)
2018-10-07 13:37:43

Anyone tried distributing iOS 12 Shortcuts across an MDM/EMM/UEM? Any advice?

aaron (aaron@groundctl.com)
2018-10-07 21:31:44

I was wondering that too. Webclips?

Jason (jasonh@bridgeway.co.uk)
2018-10-08 07:27:21

Exactly. Was away for the weekend, so haven't been able to test yet

jafullersr (jafuller@starbucks.com)
2018-10-08 17:33:46

A web clip opens the App Store to the Shortcuts app rather than the actual shortcut in the Shortcut app. Do you know if the Shortcut app has a URL scheme?

Jason (jasonh@bridgeway.co.uk)
2018-10-08 17:37:45

Seems to be a data:text/html;&lt;base64 data&gt; data string, but haven’t played with this today.

jafullersr (jafuller@starbucks.com)
2018-10-08 17:39:55

What I mean is that apps can designate a URL scheme that will allow you to open content or send data directly to the app. Safari responds to http:// or https://. The VMware Secure Browser is awb:// or awbs://. I’m curious if there is a way to interact with Shortcuts in the same way.

jafullersr (jafuller@starbucks.com)
2018-10-08 17:41:05

Tweetbot uses: tweetbot:// So you can get the timeline of a user with: tweetbot://<screenname>/timeline

Jason (jasonh@bridgeway.co.uk)
2018-10-08 17:42:04

Ah, I see. Not tested. This was the string that the homescreen webclib displayed. I didn’t have time to investigate any further since

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-10-08 17:43:06

i think they're "deep links". I've used them for Yammer, and Box links too). Fun fact, you can use facetime://<AppleID> in your email signature for single click facetime calls.

👍 Woody
Jason (jasonh@bridgeway.co.uk)
2018-10-08 17:44:27

Oh?

👍 jafullersr
Jason (jasonh@bridgeway.co.uk)
2018-10-08 20:56:38

I’m familiar with these protocol URL calls, but didn’t know that they were called deep links. Learn something new everyday…

Jason (jasonh@bridgeway.co.uk)
2018-10-08 20:59:12

Thanks

Jeremy (jeremy@bodokh.com)
2018-10-08 21:29:11

Jeremy (jeremy@bodokh.com)
2018-10-08 21:29:17

For example

Jeremy (jeremy@bodokh.com)
2018-10-08 21:30:03

Taken from https://sharecuts.app

sharecuts.app
Jason (jasonh@bridgeway.co.uk)
2018-10-08 21:34:19

Yep, but this is importing the workflow into Shortcuts. It doesn’t create the webclip itself.

Jason (jasonh@bridgeway.co.uk)
2018-10-08 21:37:38

Or have I missed something?

Jason (jasonh@bridgeway.co.uk)
2018-10-08 21:52:58

Is there a <shortcuts://run-workflow?url=>... or similar?

Jeremy (jeremy@bodokh.com)
2018-10-08 22:24:18

Do you want to create a web clip ?

Jason (jasonh@bridgeway.co.uk)
2018-10-09 07:11:12

Yup, to distribute to a number of devices. Can it be done?

Jeremy (jeremy@bodokh.com)
2018-10-09 09:46:56

If it’s just a webclip you can do it with a profile

Tinus (freewheelzgroningen@gmail.com)
2018-10-09 12:12:18

@Tinus has joined the channel

Herman (herman@thijssens.nl)
2018-10-09 12:18:01

@Herman has joined the channel

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-10-09 14:41:09

12.0.1 has dropped

aaron (aaron@groundctl.com)
2018-10-09 15:03:58

Also Apple stopped signing 11.4.1.

Martijn (mvandijk@mobileiron.com)
2018-10-10 10:39:58

@Martijn has joined the channel

TedStryker (supacatsf@gmail.com)
2018-10-10 12:00:53

@TedStryker has joined the channel

Carlos Martin (cmartin@qolcom.co.uk)
2018-10-11 12:26:16

@Carlos Martin has joined the channel

Carlos Martin (cmartin@qolcom.co.uk)
2018-10-11 12:32:01

Is there any way using MI Core to enforce FindMyPhone to be enable on all devices, and also stop the user to disable it?

aaron (aaron@groundctl.com)
2018-10-11 13:32:07

No.

aaron (aaron@groundctl.com)
2018-10-11 13:33:48

It isn’t a MI limitation, it’s an Apple limitation. But if your devices are supervised (DEP, usually), then you have “Lost Mode” which can’t be disabled.

aaron (aaron@groundctl.com)
2018-10-11 13:34:13

Lost mode is like FMiP for Enterprise, kinda.

aaron (aaron@groundctl.com)
2018-10-11 13:35:12

With lost mode, GPS coordinates are sent back to MobileIron, and the device becomes locked with a message of your choice.

aaron (aaron@groundctl.com)
2018-10-11 13:35:34

No Apple ID needed.

Carlos Martin (cmartin@qolcom.co.uk)
2018-10-11 15:08:45

Thanks Aaron. Yes, devices are supervised and DEP. We tested what you suggested and it worked perfectly. It is good to know that it is an Apple restriction rather than a MI one.

aaron (aaron@groundctl.com)
2018-10-11 15:14:24

Yeah, Apple has a problem allowing business to spy on employee’s locations without notification. That’s one reason Lost Mode locks the device.

aaron (aaron@groundctl.com)
2018-10-11 15:14:58

Tip: Lost Mode seems to work even if someone turns off Location Services.

Adam Case (ajcase@us.ibm.com)
2018-10-17 17:25:03

Anyone hearing any rumblings about DEP issues today?

Woody (eric.woodland@trust.tc)
2018-10-17 17:44:57

Not yet @Adam Case

Woody (eric.woodland@trust.tc)
2018-10-17 17:45:19

At this point, it’s just YouTube this and YouTube that

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-10-17 17:53:27

We've not had anything raised by our users.

jafullersr (jafuller@starbucks.com)
2018-10-17 18:11:44

I’ve been having VPP issues in business.apple.com

jafullersr (jafuller@starbucks.com)
2018-10-17 18:11:52

No DEP issues yet.

Jason (jasonh@bridgeway.co.uk)
2018-10-17 19:44:39

Only that I keep calling it DEP, when I’m told that it should be simply “Device Enrolment”… 😂

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-10-17 20:12:12
😆 Woody, Jason
Adam Case (ajcase@us.ibm.com)
2018-10-22 20:32:21

I can’t help but say “DEP Program”. Ugh… Redundant Acronyms

Mark Vonk (mark.vonk@dahvo.com)
2018-10-22 20:48:33

ABMhhm all the way now

Jason (jasonh@bridgeway.co.uk)
2018-10-23 09:37:31

Always Be M… ? Mobile? Multitasking? Making acronyms?

Jason (jasonh@bridgeway.co.uk)
2018-10-23 09:39:06

Wong answers only, please!

NicolasR (raison_nicolas@me.com)
2018-10-23 22:54:49

Apple Business Manager 😂

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-10-23 22:55:47

That's the guy I call when I need to place an order for new MacBooks yeah?

NicolasR (raison_nicolas@me.com)
2018-10-23 22:57:35

For sure!

Ankur Acharya (ankuracharya@gmail.com)
2018-10-25 02:59:50

https://gizmodo.com/apple-reportedly-blocked-police-iphone-hacking-tool-and-1829974710

Gizmodo
😬 Woody, Ankur Acharya
Matthew Shaver (mshaver@us.ibm.com)
2018-10-31 13:46:25

Anyone have a US based DEP enrollment going on today that can answer a question - when you are going through the enrollment process on the “Remote Management” screen, when you tap “About Remote Management” does the address displayed show the State in the listing or just the city?

Daniël Kraaijeveld (daniel.kraaijeveld@twentynice.com)
2018-11-03 09:35:36

@Daniël Kraaijeveld has joined the channel

Erica Mixon (emixon@techtarget.com)
2018-11-07 16:51:27

@Erica Mixon has joined the channel

Matthew Shaver (mshaver@us.ibm.com)
2018-11-09 01:45:26

Seems like a significant change was made in a minor release (12.1.1 first beta)

aaron (aaron@groundctl.com)
2018-11-09 02:29:07

@Matthew Shaver AppleSeed for IT has more info on that, see the last sentence especially. > Profile Installation >iOS 12.1.1 beta 1 introduces a new workflow for manually installing configuration profiles. When you manually install a profile, for example from a website or an email message, you will receive a notification that the profile has been downloaded. To install the profile you must launch Settings and tap General then tap Profiles or Devices Management. You will see a list of Downloaded Profiles. You can inspect each one and install or delete it. If you do not install the profile within 24 hours of downloading it, it will be deleted automatically. > >There is no change for profiles installed by Mobile Device Management (MDM), or for MDM enrollment to servers assigned in Apple Business Manager or Apple School Manager. However, this does change the workflow for manually enrolling in MDM. Please test your MDM enrollment workflow and file feedback for any problems you find. > >Apple plans to test this workflow in iOS 12.1.1 beta but revert it in iOS 12.1.1 GM. We plan to include it in a future iOS 12 GM update.

😬 Alex Chappuis
👍 Alex Chappuis
Matthew Shaver (mshaver@us.ibm.com)
2018-11-09 02:30:49

I provided them some feedback and they sent that through. Thanks! I’m finding a few issues with it, mostly that it no longer respects the DEP Profile if the device re-enrolls without reset

Matthew Shaver (mshaver@us.ibm.com)
2018-11-09 02:31:32

It’s also a bit annoying that there is no difference in the workflow if the device is supervised, it adds taps which always angers the admins

aaron (aaron@groundctl.com)
2018-11-09 02:32:05

But MDM can still install profiles silently, right?

Matthew Shaver (mshaver@us.ibm.com)
2018-11-09 02:32:27

Via DEP, yes, I haven’t tried the Apple Configurator workflow yet

Matthew Shaver (mshaver@us.ibm.com)
2018-11-09 02:41:32

It’s not recognizing the supervision in AC2, may just be a beta bug though

Matthew Shaver (mshaver@us.ibm.com)
2018-11-09 02:42:25

It was making me go to the settings and tap install just like the manual workflow

Martin (martin.blattmann@nomasis.ch)
2018-11-09 19:18:47

@Martin has joined the channel

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-11-09 20:58:52

So from the note there I assume that further profiles installed via MDM (updates WiFi, mail, Vpn profiles etc) will still install silently with or without dep?

Matthew Shaver (mshaver@us.ibm.com)
2018-11-09 21:49:06

Seems that way, yes

Woody (eric.woodland@trust.tc)
2018-11-09 23:16:03

Anyone playing with the 12.1.1 Beta 2? Interesting behavior I’m seeing regarding iOS MDM profile “Downloads”. Doesn’t force install. Just installs to Settings, then advises to install if you want to keep it.

Maxime Crouzet (maxime@mobinergy.com)
2018-11-09 23:16:36

@Maxime Crouzet has joined the channel

Woody (eric.woodland@trust.tc)
2018-11-09 23:18:30
Woody (eric.woodland@trust.tc)
2018-11-09 23:18:33
Woody (eric.woodland@trust.tc)
2018-11-09 23:18:38
jafullersr (jafuller@starbucks.com)
2018-11-09 23:38:56

Opt-in or UAMDM on iOS?

jafullersr (jafuller@starbucks.com)
2018-11-09 23:39:06

Assuming this isn’t DEP.

Woody (eric.woodland@trust.tc)
2018-11-10 00:10:11

BYOD. Direct enroll against Workspace ONE UEM (or inside one of the agents). No DEP involved.

Jack Madden (jackalexandermadden@gmail.com)
2018-11-10 00:13:43

Wow. One more step to ask BYOD users to deal with.

😥 Alex Chappuis, Russell Mohr
Woody (eric.woodland@trust.tc)
2018-11-10 00:30:40

Admittedly I’ve been testing out all the new Workspace ONE UEM + ViDM + App consolidation updates, but I think this is a result of something on the iOS side. I can’t see something like that sticking around. You’re lucky to get a user to complete enrollment as-is. That would surely drive the enrollment abandonment rates through the roof.

Andrew Olpin (andy@olpin.us)
2018-11-10 01:11:49

@Andrew Olpin has joined the channel

Karthic (karthicbe@gmail.com)
2018-11-10 03:58:54

@Karthic has joined the channel

mahiroux (mhyb.mk@gmail.com)
2018-11-10 04:20:57

@mahiroux has joined the channel

Phil Hackett (phil.hackett83@gmail.com)
2018-11-10 06:18:44

@Phil Hackett has joined the channel

KevM (kevin@meager.me)
2018-11-10 09:20:49

@KevM has joined the channel

Jason Bayton (jason@bayton.org)
2018-11-10 13:57:47

That's going to suck just a little more for customers not supervising their estate (of which I know many).

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-11-10 15:56:51

It’s going to suck majorly for us.... we have dep enabled... but only in about 15 countries... less than half our user estate.

Tycho (tycho@schenkeveld.com)
2018-11-14 13:48:30

*Thread Reply:* FWIW Apple has done this UAMDM on Mac for a while (since 10.13.2), this is why I amended the process to enable the user to manually click that.

The biggest change actually is that under High Sierra it wasn't super needed, the only real actual ability that was blocked without it was the loading of kernel modules. But in Mojave there are a bit more things under it.

John K (john.keogh@ihsmarkit.com)
2018-11-10 17:00:29

@John K has joined the channel

NicolasR (raison_nicolas@me.com)
2018-11-10 18:35:07

OMG... that's awful UX...

Bart T. (bart.thomas@proximus.com)
2018-11-10 21:29:41

@Bart T. has joined the channel

Jason Bayton (jason@bayton.org)
2018-11-10 23:43:22

It’s baffling. Google are over here working to improve the work/personal divide while ensuring a smooth and simple enrolment process, while Apple flip IT the bird and actively make it more difficult to enrol a BYOD device.

NicolasR (raison_nicolas@me.com)
2018-11-10 23:45:24

They said “security”.... hum hum hum

Jason Bayton (jason@bayton.org)
2018-11-10 23:48:11

If you’re duped into downloading a profile in the first place, I don’t see how adding an extra step will stop you from installing it, really.

aaron (aaron@groundctl.com)
2018-11-10 23:49:35

Apple’s making it more difficult for a user to enroll a device into MDM without thinking twice. Lots of us will tap on a dialog by muscle memory. Modifying Settings? Not so common.

aaron (aaron@groundctl.com)
2018-11-10 23:52:24

I’m sure Apple also has in mind two phones for each of us: work (easy to enroll) and personal (easy to keep work away).

Tycho (tycho@schenkeveld.com)
2018-11-14 13:50:42

*Thread Reply:* But yet they still haven't added a work profile mode which I really love on Android because it allows you to keep the work part completely separate. I really wish Apple would do that.

Tycho (tycho@schenkeveld.com)
2018-11-14 13:51:49

*Thread Reply:* I think the UX on work profile is really great. One tap and all work stuff is off, and you can still use the same apps for personal use.

aaron (aaron@groundctl.com)
2018-11-14 13:54:55

*Thread Reply:* Thanks for explaining that. I’m deep in the Apple bubble, so was only partially aware of that. Seems like something Apple could easily implement for unsupervised devices.

aaron (aaron@groundctl.com)
2018-11-14 13:55:17

*Thread Reply:* Or even supervised ones, as long as there is an option to disable.

Tycho (tycho@schenkeveld.com)
2018-11-14 15:22:49

*Thread Reply:* Yes that's the big benefit of work profile mode. It's ideal for BYO scenarios. It creates a container on your phone with all your work stuff, and only that container is managed by the company. The MDM can only 'see' inside the container, e.g. it can't even see what apps you have installed personally.

So it's a good balance between privacy and security. Any apps installed into the profile will get a badge on top so you can tell the difference between them and the same app on your general phone. You also have separate storage so you can make sure corp. info can't be shared to personal apps if you like (we do this). And I really like the way I can just toggle the work profile off, which means all notifications will be muted (and even the background app update disabled for work apps).

Tycho (tycho@schenkeveld.com)
2018-11-14 15:23:23

*Thread Reply:* With Apple you only have the full enrolment option really (though you do have the supervised/non supervised difference)

aaron (aaron@groundctl.com)
2018-11-14 16:48:33

*Thread Reply:* What happens if you have the same app in both work and personal? Two copies?

Russell Mohr (rmohr@mobileiron.com)
2018-11-17 10:56:31

*Thread Reply:* Yep. Work Camera and Personal Camera etc

aaron (aaron@groundctl.com)
2018-11-17 18:48:41

*Thread Reply:* That wouldn’t be the Apple way then.

Tycho (tycho@schenkeveld.com)
2018-11-19 15:32:59

*Thread Reply:* Not in the way Android do it, but they wouldn't necessarily have to implement it in the same way. I could see Apple making something where you "flip" the screen around to a second homescreen for business. Until recently a dual-sim phone wasn't Apple's way either but they turned that around too.

They'd just make the difference more clear. And the 2 camera's aren't a good example, they're not needed in most cases because you can usually share from personal -> Work, just not the other way around. But having 2 mail apps is quite handy IMO. I just wish they were a bit easier to tell apart, there's only a tiny overlay while using them. Having one with a work branding or different tint colour would be better.

Especially considering Apple's pricing now I don't think they can keep expecting people to buy phones privately if they already get one for business 🙂 It's really what put me off Apple. I've been using Macs since OSX 10.2 and iPhones since the iPhone 1. But I really won't consider spending as much on a phone as they're asking now...

And I think while Google's way is not perfect it's definitely an out of the box rethink that better addresses how to combine work use with private use. For example: One thing that I really don't like with Apple's way is how easy it is to mistakenly create a contact in the wrong address book. Most of my personal contacts on my iPhone were in the work address book so when I unenrolled it from MDM they all disappeared from my phone. I've also several times sent an email to colleagues from my private address by mistake which caused the email address to be added to their reply lists, and it took a long time to get that address off everyone's address books again 🙂

aaron (aaron@groundctl.com)
2018-11-19 22:36:51

*Thread Reply:* Great response. Much to think about.

Jason Bayton (jason@bayton.org)
2018-11-10 23:59:18

I don’t doubt that for a moment. The road back to 1 trillion was never going to be easy (for the end user) 😄

Victor Cruz (victor@cruzcid.com)
2018-11-11 21:21:19

@Victor Cruz has joined the channel

Captain Web (tristan.valente@amaris.com)
2018-11-12 15:42:36

@Captain Web has joined the channel

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-11-12 16:08:55

Has anyone ever heard of a carrier or supplier charging to add devices to the DEP portal on dispatch?

We have a carrier in India looking to charge us something like a couple of euros per device to simply add it to the portal.

We already have 20 supplier on our portal who don't change, just wondering if anyone has seen anyone doing this?

Jason (jasonh@bridgeway.co.uk)
2018-11-12 16:18:04

Nope, and I would think this breaches Apple’s Ts&Cs. Ask them to put it in writing so that you can discuss with Apple? 😂

Mark Vonk (mark.vonk@dahvo.com)
2018-11-12 16:43:22

Yes it does breach Apple’s terms and conditions. I know that Apple here is very strict in this and will throw the supplier out of the DEP program.

👍 Jason, Woody
Jason Bayton (jason@bayton.org)
2018-11-12 16:47:14

Don't Telefonica charge also?

Jason (jasonh@bridgeway.co.uk)
2018-11-12 16:51:31

@Jason Bayton I’ve not seen this and would be surprised if that were the case. EE/BT and Telefonica may have minimum size limits, but that’s a separate issue.

Jason (jasonh@bridgeway.co.uk)
2018-11-12 16:51:50

Thank the Lord for Configurator self-enrolment into DEP.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-11-12 16:54:58

I have a feeling that it’s to do with the distributors.

If you buy direct from DEP Providors I expect they don’t charge as they’re contracted not too.

But if you buy from somewhere that isn’t supplying the device themselves but are using a 3rd part distributor like Ingram micro, they may be being charged a nominal fee by them, which they are trying to pass on.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-11-12 16:55:58

Btw I have it in writing from them so will pass onto apple and get their feedback.

Jason (jasonh@bridgeway.co.uk)
2018-11-12 16:56:51

I don’t believe disties are allowed to charge, either.

Jason (jasonh@bridgeway.co.uk)
2018-11-12 16:57:04

But do let us know how you get on. 🙂

JP Guldfeldt (jpguldfeldt@hotmail.com)
2018-11-12 19:20:41

@JP Guldfeldt has joined the channel

Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-11-13 14:51:36

@Simon Hardy-Bistagne we already had some Zero-touch partners asking for 1$ / device to add the devices in the Zero-touch Portal and some partners requiring a "DEP initial enrollment fee"...but never a fee to add a single device in the DEP program!

😳 Woody
Nicola (nicola.aloise@nomasis.ch)
2018-11-13 15:42:59

@Nicola has joined the channel

JF Rigot (jr@mob.co)
2018-11-13 16:34:27

@JF Rigot has joined the channel

NicolasR (raison_nicolas@me.com)
2018-11-13 17:22:23

We do that for free 😄

Karim (karim.trivier@codalis.ch)
2018-11-13 17:36:38

@Karim has joined the channel

Ray (raymond.wright@gov.scot)
2018-11-13 17:45:42

@Ray has joined the channel

Woody (eric.woodland@trust.tc)
2018-11-13 18:26:15

Is it me, or is Calendar sluggish as a whole in iOS 12?

Phil Hackett (phil.hackett83@gmail.com)
2018-11-13 19:50:12

*Thread Reply:* We are seeing sluggishness too. Mainly with opening meeting invites with large number of invitees (20+). We opened a support case with Apple, but they didn’t really want to know about it.

Woody (eric.woodland@trust.tc)
2018-11-13 19:57:08

*Thread Reply:* It seems like any time I launch Calendar… there’s a 5-10 second wait until it’s responsive

NicolasR (raison_nicolas@me.com)
2018-11-13 22:52:22

*Thread Reply:* I see GAL lookup issues since iOS 12 (+ office365)

👍 Woody
Woody (eric.woodland@trust.tc)
2018-11-14 02:00:37

*Thread Reply:* My phone (BYOD) has a combo of calendars from iCloud, O365 and Gmail… so it’d be tough to say

Russell Mohr (rmohr@mobileiron.com)
2018-11-17 10:58:28

*Thread Reply:* Sluggish calendar and GAL lookup issues for me too

👍 Woody
John O Andersen (joa@techstep.no)
2018-11-14 06:05:32

@John O Andersen has joined the channel

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2018-11-14 07:40:30

Deutsche Telekom also charges 5€ for every device or 500€ once.

Jonas Hofer (jonas.hofer@nomasis.ch)
2018-11-14 07:57:48

@Jonas Hofer has joined the channel

Seb (seb.michaut@gmail.com)
2018-11-14 13:56:33

@Seb has joined the channel

Arjan Vermeulen (mobilxperts@arjanvermeulen.nl)
2018-11-14 14:15:09

@Arjan Vermeulen has joined the channel

Christian Bell (christian.bell@broadcom.com)
2018-11-14 14:20:57

@Christian Bell has joined the channel

Alex Chappuis (alex@creasion.ch)
2018-11-14 14:20:59

@Alex Chappuis has joined the channel

Tim Ward (tim.ward@artisanpartners.com)
2018-11-14 14:45:46

@Tim Ward has joined the channel

Jeoffrey Burri (generi@generi.ch)
2018-11-14 14:56:53

@Jeoffrey Burri has joined the channel

Sascha Mogler (sascha@mogler.com)
2018-11-14 15:02:48

@Sascha Mogler has joined the channel

John O Andersen (joa@techstep.no)
2018-11-15 06:05:44

Anyone done user certificate from MDM on O365 Apps iOS? Certificate are present but not picked up/seen by for example Outlook. Anyone, what’s lacking?

Subbzz (s.subiah@septagon.co.nz)
2018-11-15 07:24:14

@Subbzz has joined the channel

Woody (eric.woodland@trust.tc)
2018-11-15 20:32:08

@John O Andersen you’re talking CBA into Azure for modern O365 services (Exchange Online/Word/Excel/SharePoint/etc) Everything except ActiveSync. Right?

Woody (eric.woodland@trust.tc)
2018-11-15 20:32:54

Are you using AAD as the IdP or a 3rd Party?

John O Andersen (joa@techstep.no)
2018-11-15 20:34:57

Using internal Microsoft user ca managed by Citrix xenmobile/endpoint management to the device.., O365 client not seeing CBA alternative to Azure

Woody (eric.woodland@trust.tc)
2018-11-15 20:38:41

Okay, so when you access your O365 tenant/service, is it prompting you to select a certificate? Or are you redirected to your IdP to sign-in?

Mark Vonk (mark.vonk@dahvo.com)
2018-11-15 20:47:02

Is your CRL internet-facing? Ie. do you have the CRL published on the internet somewhere?

Mark Vonk (mark.vonk@dahvo.com)
2018-11-15 20:53:34

Suggest to read: https://docs.microsoft.com/en-us/azure/active-directory/authentication/active-directory-certificate-based-authentication-get-started and follow the configuration and requirements from there.

docs.microsoft.com
Simon Hardy-Bistagne (simon@smnhdy.com)
2018-11-15 20:54:21

Have you got your idp configured to check for the cert rather than azure?

Woody (eric.woodland@trust.tc)
2018-11-15 21:08:35

@Simon Hardy-Bistagne right there with you. Trying to determine who in this scenario should actually be prompting for the cert (and why he’s not able to offer one up)

Mark Vonk (mark.vonk@dahvo.com)
2018-11-15 21:17:55

It sounds like AAD is the IDP, but I am not sure.

Duncan (duncan@govalux.com)
2018-11-15 21:53:38

@Duncan has joined the channel

DGambinoII (wubino7@msn.com)
2018-11-16 03:07:32

@DGambinoII has joined the channel

David Arvidsson (david.arvidsson@techstep.se)
2018-11-16 10:09:50

@David Arvidsson has joined the channel

Almar Diehl (almar.diehl@blaud.com)
2018-11-16 11:46:42

@Almar Diehl has joined the channel

Mirco Reimer (slack@mircoreimer.de)
2018-11-17 08:39:15

@Mirco Reimer has joined the channel

Matthew Shaver (mshaver@us.ibm.com)
2018-11-20 19:51:04

Don’t know about other admins but we get a lot of questions around iOS restore behavior when working with DEP devices. There are some answers on the web with a quick search through old forums, but I’ve created a quick reference guide for iOS 12.x if anyone needs it:

👍 Mark Vonk, Sascha Mogler, aaron, Amine, Russell Mohr, NicolasR, Jason, Daniël Kraaijeveld, Nicola, Phil Hackett, Mirco Reimer, Julio, jafullersr, KevM, RobE, Nick Knight
msavolainen (mikko.savolainen@datainfo.fi)
2018-11-21 12:52:44

@msavolainen has joined the channel

Robin Hobo (robinhobo@outlook.com)
2018-11-24 06:20:36

@Robin Hobo has joined the channel

Rob (robertmjames22@gmail.com)
2018-11-26 23:16:34

@Rob has joined the channel

Philip Harrison (CWSI) (pharrison@cwsi.ie)
2018-11-28 10:34:32

@Philip Harrison (CWSI) has joined the channel

Sebastiaan (sebastiaan.smits@dahvo.com)
2018-11-28 12:17:16

@Sebastiaan has joined the channel

Jay (jessica.jamison@hotmail.com)
2018-11-28 20:24:35

@Jay has joined the channel

Julio (julio.vita@hotmail.de)
2018-11-29 20:19:50

@Julio has joined the channel

Julio (julio.vita@hotmail.de)
2018-11-30 07:19:15

Morning, I have a question regarding first activation of an iPhone. Is a sim card not mandatory anymore in order to activate the device?

Jeremy (jeremy@bodokh.com)
2018-11-30 08:29:13

It’s not anymore

Jeremy (jeremy@bodokh.com)
2018-11-30 08:30:07

They changed that during iOS12 Beta if I remember correctly

Julio (julio.vita@hotmail.de)
2018-11-30 08:52:37

Ah okay, good to know.

Morten Lauritzen (morten.lauritzen@citrix.com)
2018-11-30 10:05:48

@Morten Lauritzen has joined the channel

Kiran Patel (kiran@kiranpatel.net)
2018-12-05 19:04:41

@Kiran Patel has joined the channel

Kiran Patel (kiran@kiranpatel.net)
2018-12-05 19:05:18

Great now that iOS 12.1.1. is GA what is everyone doing for the MDM profile install behavior change?

Matthew Shaver (mshaver@us.ibm.com)
2018-12-05 19:07:07

According to our sources that shouldn’t be live in the GA. I think it’s probably slated for 12.3

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-12-05 19:07:49

This is what i've been told... are you seeing that the GA includes this new "feature"

Mark Vonk (mark.vonk@dahvo.com)
2018-12-05 19:35:02

No

Mark Vonk (mark.vonk@dahvo.com)
2018-12-05 19:35:18

MDM profile installs as per usual

Mark Vonk (mark.vonk@dahvo.com)
2018-12-05 19:35:41

No need to perform extra steps with 12.1.1

Julio (julio.vita@hotmail.de)
2018-12-05 19:37:08

Out of curiosity, even though it is not happening now; what is set to be changed in the mdm profile install process?

Mark Vonk (mark.vonk@dahvo.com)
2018-12-05 19:39:41

https://www.ibm.com/developerworks/community/blogs/4d57676c-a8cd-4907-9910-b21f35a1e5c6/entry/iOS_12_Manual_MDM_Enrollment_Changes?lang=en

ibm.com
Mark Vonk (mark.vonk@dahvo.com)
2018-12-05 19:41:18

Basically; you download the mdm profile, but it does not install. The user has to manually install it

Julio (julio.vita@hotmail.de)
2018-12-05 19:41:52

Wow, why is that? Can‘t it be enforced anyway?

Mark Vonk (mark.vonk@dahvo.com)
2018-12-05 19:41:53

That is for non-DEP devices

Julio (julio.vita@hotmail.de)
2018-12-05 19:42:06

Ah

Julio (julio.vita@hotmail.de)
2018-12-05 19:42:08

Ok

Julio (julio.vita@hotmail.de)
2018-12-05 19:42:10

Pheew

Julio (julio.vita@hotmail.de)
2018-12-05 19:42:18

Thought for all types

Mark Vonk (mark.vonk@dahvo.com)
2018-12-05 19:42:24

To fight off malware that uses mdm profiles

Mark Vonk (mark.vonk@dahvo.com)
2018-12-05 19:42:52

And make DEP even more important for corporate devices

Julio (julio.vita@hotmail.de)
2018-12-05 19:43:17

Good to know, thanks for sharing

Mark Vonk (mark.vonk@dahvo.com)
2018-12-05 19:44:21

As far as I know it will be released in 12.3. The .3 release is typically the education and enterprise feature release for iOS

Matthew Shaver (mshaver@us.ibm.com)
2018-12-05 19:48:18

The biggest problem I saw in the beta (outside the completely new workflows) is that the device being supervised didn’t make a difference in the way the profile was treated, so this is probably gonna be a big PITA for folks not using DEP to enroll.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-12-05 19:55:03
Julio (julio.vita@hotmail.de)
2018-12-05 20:01:41

Thank god we got DEP in place, can imagine this messing up a lot of peoples setup

Mark Vonk (mark.vonk@dahvo.com)
2018-12-05 20:02:37

It sucks, but apple has been saying DEP is the only way for corporate devices going forward for years now. Have a number of customers who never “believed” it or found it cumbersome to do DEP.

Mark Vonk (mark.vonk@dahvo.com)
2018-12-05 20:03:38

Guess they will have to rethink

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-12-05 20:03:54

We have DEP in 13 countries... 17 suppliers... that makes up probably 60% of our corp devices.... China... most of south america... a lot of asia.... no DEP available at all from Apple... Going to make life suck for our users unless the EMMs can automate this.

Kiran Patel (kiran@kiranpatel.net)
2018-12-05 20:03:59

Phew thanks guys - I was running around with meetings and got the Appleseed email so I freaked out

Matthew Shaver (mshaver@us.ibm.com)
2018-12-05 20:12:37

@aaron did your teams do any testing with the new profile setup in the beta to see if there were any automation possibilities?

👍 Kiran Patel
aaron (aaron@groundctl.com)
2018-12-05 22:52:56

@Matthew Shaver we tested non-dep enrollment with the 12.1.1 betas and our process was unaffected. That is, silent installation on supervised devices did not prompt. That’s really good.

👍 Matthew Shaver
aaron (aaron@groundctl.com)
2018-12-05 22:53:06

So our customers won’t be affected.

NicolasR (raison_nicolas@me.com)
2018-12-05 22:56:14

... for now... 😢

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-12-05 23:03:40

I this DEP users will be fine.

It's the new process for non DEP that will add the confusion if it can't be agent automated.

Damian (support@expertmobilite.com)
2018-12-05 23:05:30

We are all nearly non DEP 🤦‍♂️

NicolasR (raison_nicolas@me.com)
2018-12-05 23:08:26

A lot of customer migrate from one EMM to another... this is a p** in the a** for the end user and for the support team...

Damian (support@expertmobilite.com)
2018-12-05 23:09:23

It’s just typical from the likes of Apple and Microshaft - don’t listen to the customer

Damian (support@expertmobilite.com)
2018-12-05 23:10:48

Same if you want to revoke the Azure AD refresh token - the only parameter that it accepts is ObjectID but that’s another story for another day 😭

Kiran Patel (kiran@kiranpatel.net)
2018-12-07 10:13:53

*Thread Reply:* @Damian how do you systematically do this?

Damian (support@expertmobilite.com)
2018-12-07 10:25:47

*Thread Reply:* We use AirWatch and the feature exists to revoke the token but only if your onprem UPN matches your cloud UPN. It’s not our case and we have to create a script to address this

Damian (support@expertmobilite.com)
2018-12-07 10:26:46

*Thread Reply:* I’ve requested a feature enhancement since July this year

Kiran Patel (kiran@kiranpatel.net)
2018-12-08 17:47:04

*Thread Reply:* Thanks Damian!

Jason (jasonh@bridgeway.co.uk)
2018-12-06 09:47:31

There goes the BYOD enrolment process then…

Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-12-06 12:26:45

we started to collect global feedback from our customers and will get back to apple soon - see the following form on our website and feel free to participate: https://nomasis.ch/apple-petition/

Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-12-06 12:26:59

(for the time being it's only in German).

Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-12-06 12:29:24

we know that most customers will complain if Apple brings this change!

aaron (aaron@groundctl.com)
2018-12-06 13:02:42

Seems to me Apple is proactively asking for feedback on this new MDM process for BYOD. They allowed everyone to preview this long before introduction. They have never done that before. So please do provide feedback to them. And if you don’t like this new system, feel free to recommend alternative ways to protect non-corporate users from malicious MDM enrollment while keeping it easy for corporate users.

👍 Woody
Kiran Patel (kiran@kiranpatel.net)
2018-12-07 10:15:11

*Thread Reply:* That is a very good point Aaron. While I initially focused on the negatives of the idea from an MDM enrollment process I didn’t think of the security aspect

👍 Woody
Matthew Shaver (mshaver@us.ibm.com)
2018-12-06 13:13:55

We know that some large clients of even larger importance have asked them not to do this in 12 and that the answers they received were pretty much “you know it’s coming, do what you need to prepare”, so I don’t have high hopes that they’re going to listen to that feedback

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-12-06 13:27:21

So we got the blended reply... it's coming... get ready... but make sure you feedback as we really want to hear from you...

jafullersr (jafuller@starbucks.com)
2018-12-06 19:21:59

We’ve had top-to-top meetings with Apple on the BYOD enrollment process and they continue to say they’re working to meet the needs of the enterprise. This proves otherwise. If the MDM agent is used to enroll, can’t Apple make the determination that this is a trusted agent and can perform MDM enrollment?

👍 Kiran Patel
Preetham Guram (spurtipreetham.g@gmail.com)
2018-12-06 19:24:01

*Thread Reply:* In terms on implementation, I don’t think it is workable for Apple to ensure if it is a trusted agent.

jafullersr (jafuller@starbucks.com)
2018-12-06 19:26:21

*Thread Reply:* All of the agents are on their App Store and go through the rigor of their vetting process. Couldn’t there be extra rigor for MDM agents? It’s really just a thought, but this separation of the profile from the process is a pain.

👍 Mark Vonk, Julio, Woody
Preetham Guram (spurtipreetham.g@gmail.com)
2018-12-06 19:32:49

*Thread Reply:* Okay.

Jack Madden (jackalexandermadden@gmail.com)
2018-12-06 23:35:25

*Thread Reply:* More thinking out loud: Apple could move more of the invasive MDM features over to DEP/supervised (like device wipe, app polling, device-wide VPN). That would make MDM enrollment slightly more benign. But, as long as MDM can be used to trust enterprise developers, then it’s still a route for installing malware. So we’re stuck.

Jack Madden (jackalexandermadden@gmail.com)
2018-12-06 23:35:49

*Thread Reply:* Maybe it’s just that enterprise-signed apps on BYO shouldn’t be a thing?

Jack Madden (jackalexandermadden@gmail.com)
2018-12-06 23:36:16

*Thread Reply:* extreme, but I could see there being a case for “If you don’t own the device, the app has to go through the public store”

Jack Madden (jackalexandermadden@gmail.com)
2018-12-06 23:37:50

*Thread Reply:* and then non supervised/ non/DEP MDM has a much more limited scope, like MDM light; much more palatable for BYOD; maybe allows multiple enrollments, etc.

Jack Madden (jackalexandermadden@gmail.com)
2018-12-06 23:38:13

*Thread Reply:* As I wrote… https://www.brianmadden.com/opinion/Its-okay-to-say-no-to-BYOD-and-have-two-phones-for-users-or-IT

BrianMadden.com
aaron (aaron@groundctl.com)
2018-12-07 00:30:47

*Thread Reply:* The way for Apple to implement your suggestion would be to use a new entitlement for App Store apps. The entitlement system is already used for CarPlay apps, GPS apps, VoIP apps… This would be an entitlement that declares “I’m allowed to install an MDM profile without extra effort.”

👍 Woody, Kiran Patel, jafullersr
aaron (aaron@groundctl.com)
2018-12-07 00:31:39

*Thread Reply:* By using entitlements, Apple could keep a close watch on MDM apps to make sure they are legit.

👍 Woody, Simon Hardy-Bistagne, Kiran Patel, jafullersr
jafullersr (jafuller@starbucks.com)
2018-12-07 16:04:08

*Thread Reply:* ⬆️ This. This right here. Thanks @aaron

aaron (aaron@groundctl.com)
2018-12-07 16:13:02

*Thread Reply:* Let you buddies at Apple know 

MichaelM21 (mike.miller815@yahoo.com)
2018-12-10 12:57:10

@MichaelM21 has joined the channel

Julio (julio.vita@hotmail.de)
2018-12-11 13:41:23

Unfortunately can’t open the link. What does it say?

Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-12-11 13:42:24

Have a look at the following link: there are some new requirements for Certificates since iOS 12.1.1: https://support.apple.com/en-us/HT205280

Apple Support
Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-12-11 13:43:00

failing to comply will prevent TLS connection, i.e. MDM enrollment, checkins, activesync etc....

👍:skin_tone_2: Jay, Woody
Mitch Berk (mitchberk@gmail.com)
2018-12-11 13:43:15

@Mitch Berk has joined the channel

Julio (julio.vita@hotmail.de)
2018-12-11 13:47:05

Thanks for sharing

Matthew Shaver (mshaver@us.ibm.com)
2018-12-11 15:37:41

iOS BETA 12.1.2 is out and it has the same behavior we saw before with manual enrollments. If you haven’t been hands on with the workflow and your environment relies upon manual (non-DEP) enrollments, I’d recommend testing and preparing any documentation you have for updates. From everything we’ve heard, despite feedback, Apple is moving forward with the changes and they’re likely going to drop in the 12.3 release

😡 Simon Hardy-Bistagne, Julio, Woody, Alex Chappuis
Julio (julio.vita@hotmail.de)
2018-12-11 16:07:17

Just for clarification, it will be live with 12.3 not 12.1.3 right?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-12-11 16:11:49

AIrWatch told us 12.1.3

But it sounds like more of an 12.3 thing...

Julio (julio.vita@hotmail.de)
2018-12-11 16:14:38

Ok🤔

Matthew Shaver (mshaver@us.ibm.com)
2018-12-11 18:04:06

12.3 is what we’ve been told as well

NicolasR (raison_nicolas@me.com)
2018-12-11 18:26:17

With that change I see an opportunity for Apple to create a “work off” button in iOS. Because the profile is here but not enabled...

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-12-11 18:31:22

Potentially... though i expect (and not yet tested) that it you disable the profile, any apps and further profiles would be removed no?

If you think about it AE-WP has the work button

NicolasR (raison_nicolas@me.com)
2018-12-11 18:32:37

iOS have the ability to offload apps when they are not used for some time... why not doing the same when you disable the profile?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-12-11 18:39:36

I could see some really big show stoppers there if you weren't able to control this... Imagine your CEO turning work mode off over night... then monday morning in the car on his way to the office he turns it back on... Outlook can't install as it's over the limit iOS allows you to install over 4G... boom... no emails.

The offload feature is fine for consumer use... but for enterprise use it's potentially a production killer.

👍 Woody, Tycho
Woody (eric.woodland@trust.tc)
2018-12-11 18:41:58

Agree @Simon Hardy-Bistagne. I agree, iOS needs a button to turn off work but they need to do it in a way that just pauses the app/related notifications until it’s turned back on. Removing in a style similar to the offload feature would be incredibly painful

NicolasR (raison_nicolas@me.com)
2018-12-11 20:26:55

I agree too. What I meant was that iOS is able to completely programmatically separate the binary (I.e: App functionalities) and the data set.

👍:skin_tone_2: Simon Hardy-Bistagne
Damian (support@expertmobilite.com)
2018-12-11 21:16:26

Apple confirmed that the offload unused apps feature doesn’t apply to managed apps

Tycho (tycho@schenkeveld.com)
2018-12-12 11:53:52

*Thread Reply:* Hm I don't think this is true, it has happened several times to me that it did offload managed apps when I was still using iOS. However this was in the iOS 11 days.

Tycho (tycho@schenkeveld.com)
2018-12-12 11:54:28

*Thread Reply:* I know because it caused some issues with my compliance: One time it offloaded Lookout which is required for our compliance 🙂

Damian (support@expertmobilite.com)
2018-12-12 14:23:12

*Thread Reply:* I’m just stating what Apple officially told me 😉

Damian (support@expertmobilite.com)
2018-12-12 14:23:29

*Thread Reply:* However we have seen some cases whereby WS1 was offloaded

Damian (support@expertmobilite.com)
2018-12-12 14:23:41

*Thread Reply:* And it’s a managed app 😂

Damian (support@expertmobilite.com)
2018-12-12 14:25:20

*Thread Reply:* I opened a case but they didn’t have enough data and needed debug profiles installed to gather the necessary data - we’re obviously not going to do that for all our users...

Mathieu Beaugrand (beaugrandma@gmail.com)
2018-12-11 22:08:03

@Mathieu Beaugrand has joined the channel

Jack Madden (jackalexandermadden@gmail.com)
2018-12-12 23:07:45

I’ve had an article about some of these BYOD deficiencies that I wrote almost 2 years ago; I published an updated version today. Maybe it can be useful for helping to spread the word: https://www.brianmadden.com/opinion/Apples-iOS-management-protocol-needs-to-get-better-for-BYOD-Heres-why-and-what-they-could-do

BrianMadden.com
👍:skin_tone_2: Alex Chappuis, Damian, aaron
Tycho (tycho@schenkeveld.com)
2018-12-13 16:35:31

*Thread Reply:* Totally agree, I've been thinking roughly the same regarding work profile. Android is really innovative with Work Profile and I really miss that user experience on an iPhone. But this really clarifies the point, I'll archive it, thanks!

Tycho (tycho@schenkeveld.com)
2018-12-13 16:38:45

*Thread Reply:* Though we are seeing a big move to app-based MAM and basically to abandon the MDM concept altogether for BYOD. By the time Apple catches up this could be the main method in use, and it already works on iOS. Users tend to like this a lot, even if they miss out on the easy on/off feature of Work Profile, because they still perceive our MDM client as "spyware" in many cases.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-12-13 08:16:23

MS just posted this update to Intune:

Updates for Application Transport Security Microsoft Intune supports Transport Layer Security (TLS) 1.2+ to provide best-in-class encryption, to ensure Intune is more secure by default, and to align with other Microsoft services such as Microsoft Office 365. In order to meet this requirement, the iOS and macOS company portals will enforce Apple's updated Application Transport Security (ATS) requirements, which also require TLS 1.2+. ATS is used to enforce stricter security on all app communications over HTTPS. This change impacts Intune customers using the iOS and macOS Company Portal apps. For more information, see the Intune support blog.

aaron (aaron@groundctl.com)
2018-12-13 12:23:21

What do they mean by “impacts”?

Julio (julio.vita@hotmail.de)
2018-12-13 13:15:29

Is there a possibility to change the wifi profile on iOS in AirWatch in a way to where the user have the possibility to "forget the network" so that they can login again to that very same network after a password change?

Woody (eric.woodland@trust.tc)
2018-12-13 14:27:30

@Julio wouldn’t the connection/auth fail, then pop-up with “Incorrect Password” and allow them to enter the new one?

Julio (julio.vita@hotmail.de)
2018-12-13 14:35:29

Actually the phone is not showing that pop up, it is simply not connecting

Woody (eric.woodland@trust.tc)
2018-12-13 14:38:37

Interesting. Perhaps you could create a custom profile in Configurator 2 and upload/distribute (if the Forget option is present)

Julio (julio.vita@hotmail.de)
2018-12-13 14:39:13

Hm, I'll try that, thanks

Mathieu Beaugrand (beaugrandma@gmail.com)
2018-12-18 00:13:10

Hi all, are you aware of the iOS limitation with Per-App VPN when trying to access internal resources with a .local domain?

Mathieu Beaugrand (beaugrandma@gmail.com)
2018-12-18 00:13:34

Official statement from Apple: https://support.apple.com/en-us/HT207511

Apple Support
Mathieu Beaugrand (beaugrandma@gmail.com)
2018-12-18 00:17:00

We are having this issue with one of our customer - they are using Checkpoint as their VPN. I’m unable to replicate the issue using VMware Tunnel as my VPN server (it works fine for me). So wondering if it is a limitation on how Checkpoint have designed their app and config…

Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-12-18 06:30:54

We know this challenge with MobileIron and the SSO configuration, it does not work on iOS with .local domain i.e. to get a Kerberos ticket...I guess the .local domain is used for the "local" iOS name resolution.

AJ (ajorgensen@mobileiron.com)
2018-12-18 08:07:23

that is long fixed

AJ (ajorgensen@mobileiron.com)
2018-12-18 08:07:46

by Apple

AJ (ajorgensen@mobileiron.com)
2018-12-18 08:08:02

as long as DNS traverses the tunnel you are fine;

Mark Vonk (mark.vonk@dahvo.com)
2018-12-18 09:17:55

That was fixed somewhere in iOS 9 I believe...

Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-12-18 15:06:11

@AJ also for kerberos ticketing?

Kiran Patel (kiran@kiranpatel.net)
2018-12-18 23:19:59

I know ios 12 made some improvements on this specifically

Kiran Patel (kiran@kiranpatel.net)
2018-12-18 23:20:29

iOS SSO and going through the tunnel

Kiran Patel (kiran@kiranpatel.net)
2018-12-18 23:20:36

Not sure about .local

Woody (eric.woodland@trust.tc)
2018-12-19 17:25:34

Sounds like @Alex Chappuis is going to set it up and let us know 🙂

Jack Madden (jackalexandermadden@gmail.com)
2018-12-19 21:13:30

In talking to Lookout and Wandera, we’ve found that there are more people running side loaded apps on iOS than we thought. We’re assuming that many people are doing this not by jailbreaking, but by using X-code to resign apps distributed as source code. Anybody have any thoughts on this, see it in their environment, or do it on their own for fun?

Woody (eric.woodland@trust.tc)
2018-12-19 21:14:10

@Jack Madden I do it for Provenance (Emulator app for NES/SNES/etc)

Jack Madden (jackalexandermadden@gmail.com)
2018-12-19 21:15:55

*Thread Reply:* Do you just recompile from source code in Xcode and then install it? I know a couple years back they started allowing people to sign apps for usage on their own devices without paying $99 to join the dev program

Woody (eric.woodland@trust.tc)
2018-12-19 21:56:01

*Thread Reply:* @Jack Madden yes. You can still sign them, but the signing expires after 5 or 7 days.

Jack Madden (jackalexandermadden@gmail.com)
2018-12-19 22:30:26

*Thread Reply:* Ah okay. My colleague has been playing with this, so we’ll see when it expires

Jack Madden (jackalexandermadden@gmail.com)
2018-12-19 22:31:11

*Thread Reply:* He just saw that Cydia Impactor makes the resigning/installation process ridiculously easy.

👍 Woody
Jack Madden (jackalexandermadden@gmail.com)
2018-12-19 22:32:03

*Thread Reply:* Plus, we found a site installing apps via enterprise certs in about 2 seconds of googling.

Woody (eric.woodland@trust.tc)
2018-12-20 03:26:57

*Thread Reply:* Yeah! That Impactor tool is pretty awesome. I always heard “signing as a service” was very much available. Apparently it still is!

Woody (eric.woodland@trust.tc)
2018-12-19 21:15:21

Yeah, it does cost $99 but it’s worth it to stay involved and be able to sign/distribute when needed

Jack Madden (jackalexandermadden@gmail.com)
2018-12-19 21:16:23

Oops, threads got crossed

Jack Madden (jackalexandermadden@gmail.com)
2018-12-19 21:17:50

I assume lots of people with $99 developer certs share these types of apps with their friends, too

Jack Madden (jackalexandermadden@gmail.com)
2018-12-19 21:18:28

Here are the numbers, BTW: https://www.brianmadden.com/opinion/How-bad-are-mobile-security-threats-Our-look-at-the-numbers-starts-with-Google-and-Lookout

BrianMadden.com
Jack Madden (jackalexandermadden@gmail.com)
2018-12-19 21:18:37

https://www.brianmadden.com/opinion/Wandera-mobile-security-data-shows-locked-down-corporate-policies-help-lessen-risk

BrianMadden.com
👍:skin_tone_2: Jay
Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-12-20 06:13:30

@Woody we tried multiple times SSO + Tunnel + .local Domain, also with iOS 12...and it never worked. as soon as we are using another DNS suffix (e.g. com, int etc.) it's OK.

👍 Woody
Simon Hardy-Bistagne (simon@smnhdy.com)
2018-12-20 09:41:23

@Jack Madden We have a few thousand devices under lookout, and only see our internal certs on them. I dont see anyone having generated their own for this kind of use case. But... I can certainly see it being a possibility.

The downside though is that lookout still can't whitelist an app based on a known cert... they are separate controls.

👍 Jack Madden
Jack Madden (jackalexandermadden@gmail.com)
2018-12-20 21:59:51

*Thread Reply:* Interesting.. Thanks!

MichaelM21 (mike.miller815@yahoo.com)
2018-12-22 07:14:47

is there a good airplay recording software where you can blur certain keyboard inputs?

🙏 MichaelM21
Simon Hardy-Bistagne (simon@smnhdy.com)
2018-12-22 07:32:33

*Thread Reply:* I normally record in QuickTime and blur in post production when capturing iOS.

Are you looking for live capability?

Maybe something like OBS would be a good option. Switching to a scene which has that section blurred.

🙏 MichaelM21
Woody (eric.woodland@trust.tc)
2018-12-23 01:00:26

*Thread Reply:* I don’t know of anything that can blur on the fly. I do all mine post in SnagIt and Camtasia.

👍 MichaelM21
Jason Bayton (jason@bayton.org)
2018-12-23 11:14:02

*Thread Reply:* I just cut those out and add a cross-fade in hitfilm express or imovie

👍 MichaelM21
Sascha Mogler (sascha@mogler.com)
2018-12-23 11:30:17

*Thread Reply:* I record in QuickTime and cut it in CuteCut for Mac. Why CuteCut? I use CuteCut on iOS too...

🙏 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2018-12-28 07:51:15

*Thread Reply:* Thanks for the great input!

MichaelM21 (mike.miller815@yahoo.com)
2018-12-28 07:51:46

Does anyone know if In-App purchases can be done through VPP? (MobileIron) - found this: https://verschoren.com/2018/02/vpp-in-app-purchase/ Not sure if this is still accurate.

aaron (aaron@groundctl.com)
2018-12-28 13:54:07

Apple offers no way to manage in-app purchases at all. (Except disabling them on supervised devices.)

🙏 MichaelM21, Woody
Joris dS (joris@smartphonehelp.be)
2018-12-30 21:53:58

@Joris dS has joined the channel

Anton I (antonn94@gmail.com)
2019-01-03 08:48:36

@Anton I has joined the channel

Jack Madden (jackalexandermadden@gmail.com)
2019-01-03 17:08:57

So here’s an interesting one… in Settings > Sounds and Haptics, under Ringer and Alerts, there’s the “change with buttons” setting. At some point last year, this setting got turned off on my phone. I didn’t even know it existed, and then I spent a while occasionally wondering why I couldn’t change my alarm volume, until I finally googled the issue. I just talked my coworker through fixing it, too. Has this caught anybody else? I think the setting may have gotten flipped when I got my new phone, but I’m not sure. Was this an iOS 12 thing?

🤔 Woody
Julio (julio.vita@hotmail.de)
2019-01-03 17:14:06

Hearing this for the first time also

Jay (jay@project-xy.com)
2019-01-03 17:14:32

I just had a look and I'll admit I hadn't actually noticed before!

Kiran Patel (kiran@kiranpatel.net)
2019-01-03 22:47:13

Same here although mine was disabled as well! I normally have my phone on silent so didn’t bother me much

Mathieu Beaugrand (beaugrandma@gmail.com)
2019-01-06 23:14:47

This option has been available for a while. I remember switching it off when I was using my iPhone 5 or there about!!

Trutch (matt_trutch@hotmail.com)
2019-01-07 03:52:14

@Trutch has joined the channel

Hitesh Ambulkar (hambu001@fiu.edu)
2019-01-08 19:34:43

@Hitesh Ambulkar has joined the channel

Adam Matthews (adam@adammatthews.co.uk)
2019-01-09 21:57:49

@Adam Matthews has joined the channel

Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-01-14 08:15:44

@Marc van der Kooy has joined the channel

Nick Knight (arpknight@gmail.com)
2019-01-14 12:13:11

@Nick Knight has joined the channel

WeS (werner.soulerin@computacenter.com)
2019-01-15 12:56:37

@WeS has joined the channel

dherder (dherder@gmail.com)
2019-01-15 15:41:54

@dherder has joined the channel

Neha (nshafi3@gmail.com)
2019-01-16 18:38:29

@Neha has joined the channel

Matt Brandom (mbrandom1@vmware.com)
2019-01-16 19:18:16

@Matt Brandom has joined the channel

Martijn Schraven (martijn.schraven@centralpoint.nl)
2019-01-16 20:12:34

@Martijn Schraven has joined the channel

rm (roomurdock@icloud.com)
2019-01-20 22:59:38

@rm has joined the channel

Al (al.mackay@astrazeneca.com)
2019-01-23 11:07:25

@Al has joined the channel

Jack Madden (jackalexandermadden@gmail.com)
2019-01-24 18:58:38

Office is finally in the Mac App Store. Good news, but all I could think was “could we finally get support for App Config in the mobile clients, please?!?!” https://www.apple.com/newsroom/2019/01/the-mac-app-store-welcomes-office-365/

👍:skin_tone_2: Simon Hardy-Bistagne, Tycho, Woody, Damian, Jay
👍 Mathieu Beaugrand
Simon Hardy-Bistagne (simon@smnhdy.com)
2019-01-24 19:07:22

*Thread Reply:* @Tycho good news!

👍 Tycho
😄 Tycho
Tycho (tycho@schenkeveld.com)
2019-01-24 19:09:08

*Thread Reply:* Indeed!! And they have done the purchasing via in-app so technically it should play fine with O365 subscriptions on VPP. Will give it a try tomorrow. If it doesn't interfere with my existing installation I might just assign it to everyone.

This will make DEP much more feasible too due to not having to include this anymore, it's by far the biggest package.

Woody (eric.woodland@trust.tc)
2019-01-24 19:19:43

*Thread Reply:* Amen, @Jack Madden! Baby steps is MSFT’s MO these days

Tycho (tycho@schenkeveld.com)
2019-01-24 19:20:32

*Thread Reply:* It plays pretty nice with existing installations too! I was afraid it would install side by side or just kill the existing one without asking (which is what happens if I just push the installer through Munki for new versions)

Tycho (tycho@schenkeveld.com)
2019-01-24 19:39:54

*Thread Reply:* After installation I get like 10 of these in a row... That's not so nice (yes I clicked always allow every time) - had to enter the same password every time too.

That's something I'll have to see about before pushing this to the users with existing installations. Somehow it doesn't gracefully take over the old local installation's rights.

Tycho (tycho@schenkeveld.com)
2019-01-24 20:08:38

*Thread Reply:* Ok so Microsoft's Mac expert is live in macadmins in the office channel. So the issue is that the old apps are signed with MS's key and the new ones with Apple's let so they don't get the access. But he's provided a tool to delete the items from the keychain. Will check tomorrow. Just wanted to mention here in case one of you run into this too.

Of course the user can't be opening any O365 apps during app store installation so it'll have to be a scripted migration that enforces the right order of things. Will think about it.

👍 jafullersr, Simon Hardy-Bistagne, Jay
Tycho (tycho@schenkeveld.com)
2019-01-24 20:17:52

*Thread Reply:* FAQ goodies: https://docs.microsoft.com/en-ie/deployoffice/mac/deploy-mac-app-store

docs.microsoft.com
👏:skin_tone_2: Jay
NicolasR (raison_nicolas@me.com)
2019-01-24 23:10:18

iOS 12.2 will introduce the new iOS MDM Enrollment workflow. Source: Mobileiron

rm (roomurdock@icloud.com)
2019-01-25 02:51:24

*Thread Reply:* This? https://emm.how/t/ios-12-1-3-beta-4-changes-to-mdm-enrolment-workflow/917

EMM.how
Reading time
1 mins 🕑
Likes
7 ❤️
Matthew Shaver (mshaver@us.ibm.com)
2019-01-25 15:15:03

*Thread Reply:* From Apple: In order to to improve platform security by reducing misleading profile installations, iOS 12.2 beta includes a new workflow for manually installing configuration profiles. Apple plans to test this workflow in iOS 12.2 beta and include it in iOS 12.2 GM.

Matthew Shaver (mshaver@us.ibm.com)
2019-01-25 15:16:29

*Thread Reply:* Should be noted there is a MAJOR change from previous beta testing. In the past few versions, if the profile was not installed within 24 hours, it would automatically be deleted. They have now lowered that time to 8 minutes

NicolasR (raison_nicolas@me.com)
2019-01-25 21:48:55

*Thread Reply:* I think the 8 minutes thing is to guarantee that the MDM will not reject the device when it will connect...

drew (hello@drewsecomb.com)
2019-01-25 00:34:36

@drew has joined the channel

RobE (robert.kreuzer@outlook.com)
2019-01-27 20:23:33

MobileIron Core iReg with QR code - what exactly does this mean: “Mobile@Work or MobileIron Go must be open before 4h from registration”.. Mobile@Work needs to be opened once 4hours before the enrollment or is there a 4hour window for the enrollment? https://community.mobileiron.com/docs/DOC-8291

NicolasR (raison_nicolas@me.com)
2019-01-27 21:37:25

*Thread Reply:* Otherwise the app will not be activated and the client will be installed but not synchronised

NicolasR (raison_nicolas@me.com)
2019-01-27 21:37:35

*Thread Reply:* On Core it’s possible to change the value

NicolasR (raison_nicolas@me.com)
2019-01-27 21:37:49

*Thread Reply:* As far as I know Cloud is set to 24hours

Jack Madden (jackalexandermadden@gmail.com)
2019-01-28 17:29:54

This was on TechMeme today; I never heard of them before now but does anybody have any experience with them (or heard of them?) https://venturebeat.com/2019/01/28/mosyle-raises-16-million-to-streamline-apple-device-management/

VentureBeat
Matthew Shaver (mshaver@us.ibm.com)
2019-01-28 17:59:36

*Thread Reply:* Venture Beat continues it’s uneven journalistic endeavors by writing about them like MDM is something brand new that nobody has ever seen before. I haven’t come across these cats yet, but it seems like they’re trying to position themselves as a cost effective competitor to JAMF

👍 Woody
Jack Madden (jackalexandermadden@gmail.com)
2019-01-28 19:55:08

*Thread Reply:* Reminds me of the 2011-2012 era when we’d average one MDM product launch/MDM startup/MDM acquisition per week

Jack Madden (jackalexandermadden@gmail.com)
2019-01-28 20:23:42

Apologies if this came up already, but did anybody see the recent iPod Touch rumors? Long live 4" devices (I suppose) https://www.macrumors.com/2019/01/25/new-ipad-models-7th-gen-ipod-touch-ios-12-2/

macrumors.com
Jack Madden (jackalexandermadden@gmail.com)
2019-01-28 20:24:24

*Thread Reply:* It’s been the perennial topic of conversation on podcasts with @aaron and @Russell Mohr

Julio (julio.vita@hotmail.de)
2019-01-28 20:24:04

Heard about it yesterday

Julio (julio.vita@hotmail.de)
2019-01-28 20:24:32

But I don’t get why they would want to release a new iPod though?

Jack Madden (jackalexandermadden@gmail.com)
2019-01-28 20:27:43

To give continuity for embedded devices makes sense (barcode scanners/CC reader sleds used in healthcare, retail, etc.) though I wonder if Apple is really keeping a product alive just for the enterprise, or if they see much of a market for it anywhere else?

JP Guldfeldt (jpguldfeldt@hotmail.com)
2019-02-01 06:01:57

*Thread Reply:* In the Capitol Region of Denmark they have about 4.000 iPods in use for the healthcare system used with Honeywell scanners.

Matthew Shaver (mshaver@us.ibm.com)
2019-01-28 20:31:03

All the charts I’ve seen don’t (or can’t) even track sales. I feel like there is some old guy who has been at Apple since the late 90s who is basically untouchable that keeps them alive for nostalgic purposes

Jack Madden (jackalexandermadden@gmail.com)
2019-01-28 21:31:22

Can’t wait for the 20th anniversary iPod!

Tycho (tycho@schenkeveld.com)
2019-01-28 21:31:38

The iPod Touch is a really nice way for developers to get a cheap iOS device. It was the reason I had one for a while. Not sure if this is really enough to keep it on the lineup as a model but I sure was happy to have it. I'd say there's more edge cases like that.

👍 Woody, Matthew Shaver
Woody (eric.woodland@trust.tc)
2019-01-28 21:47:29

True dat @Tycho

Mark Vonk (mark.vonk@dahvo.com)
2019-01-29 06:15:04

https://www.theverge.com/2019/1/28/18201383/apple-facetime-bug-iphone-eavesdrop-listen-in-remote-call-security-issue

The Verge
😱 Tycho
Simon Hardy-Bistagne (simon@smnhdy.com)
2019-01-29 10:02:55

*Thread Reply:* Yep... and holy f**k balls...

This is a massive one... Apple have disabled the group FaceTime servers which "should" stem this from being exploited, however I'm seeing reports that this exploit still works.

I'm disabling FaceTime on our top exec iOS devices until a patch is made available,.

Phil Hackett (phil.hackett83@gmail.com)
2019-01-29 11:54:00

*Thread Reply:* Apple have disabled Group FaceTime. Good timing, I was about to send a mass communication to users :-) https://www.apple.com/support/systemstatus/

Simon Hardy-Bistagne (simon@smnhdy.com)
2019-01-29 12:03:56

*Thread Reply:* TBH I would still send out comms around the issue. It's going to be in the news today, and users (and top execs) will have questions, so it's better to get head of it. Not necessarily via email, but Yammer post or blog post on your internal sites.

What worries me more here, isn't the exploit its self, but the fact that built into the code of iOS is the ability to remotely enable your microsoft and camera.

This is something that should be security coded into the OS that can not happen without a user giving approval every time.

This negates many of the arguments that Apple has around security.

Jack Madden (jackalexandermadden@gmail.com)
2019-01-29 16:55:40

*Thread Reply:* Interesting sidenote, FaceTime is one of the restrictions that’s getting deprecated to Supervised-only

Martijn Rijerse (martijn.rijerse@dahvo.com)
2019-01-30 12:29:26

@Martijn Rijerse has joined the channel

Jeremy (jeremy@bodokh.com)
2019-01-30 16:07:34

https://www.theverge.com/platform/amp/2019/1/30/18203551/apple-facebook-blocked-internal-ios-apps

theverge.com
Woody (eric.woodland@trust.tc)
2019-01-30 16:41:30

Nice to see Apple following through on their stance about enterprise signing and distribution of apps.

Woody (eric.woodland@trust.tc)
2019-01-30 16:42:55

Kind of funny that one of their targets ended up being Facebook

Simon Hardy-Bistagne (simon@smnhdy.com)
2019-01-30 16:48:56

Wow... Nice!

Resign, redeploy... I wonder what emm they use... Though saying that... If theyre just signing for users to go download that's funny suck!

Jeremy (jeremy@bodokh.com)
2019-01-30 16:58:29

I wonder if they have a more than one enterprise developer subscription...

Simon Hardy-Bistagne (simon@smnhdy.com)
2019-01-30 16:59:29

I would be shocked if they didn't.

At lease one for internal apps and one for external customer apps

Simon Hardy-Bistagne (simon@smnhdy.com)
2019-01-30 17:00:07

And even then, multiple certificate per account... I wonder if Apple canned the entire Dev account or just a single cert

Jack Madden (jackalexandermadden@gmail.com)
2019-01-30 17:00:55

I agree that Facebook deserved it. Grabs popcorn

😆 Woody, NicolasR
Jack Madden (jackalexandermadden@gmail.com)
2019-01-30 17:03:02

Reminds me of back when we all talked about wrapping public apps with MAM and resigning them, and wondered if Apple would ever get mad at a company and revoke their cert

👍 Woody
Jeremy (jeremy@bodokh.com)
2019-01-30 17:05:10

I know a company that got their enterprise developer account revoked ( entire account) by Apple. They offered a beta of their apps on their website

😳 Woody
Jeremy (jeremy@bodokh.com)
2019-01-30 17:06:47

So that happens ...

Jack Madden (jackalexandermadden@gmail.com)
2019-01-30 17:28:57

Also, my sympathy to the admins at FB that have to deal with this

Jason (jasonh@bridgeway.co.uk)
2019-01-30 17:31:32

I believe FB uses MobileIron…

Jeremy (jeremy@bodokh.com)
2019-01-30 19:33:42

Google’s also peddling a data collector through Apple’s back door – TechCrunch https://techcrunch.com/2019/01/30/googles-also-peddling-a-data-collector-through-apples-back-door/ Let’s see if they do the same to Google...

TechCrunch
:face_palm: Tycho
Simon Hardy-Bistagne (simon@smnhdy.com)
2019-01-30 19:36:33

Eeesh!

Jack Madden (jackalexandermadden@gmail.com)
2019-01-31 21:30:12

https://www.theverge.com/2019/1/31/18205795/apple-google-blocked-internal-ios-apps-developer-certificate

The Verge
Jack Madden (jackalexandermadden@gmail.com)
2019-01-31 21:40:18

I’m looking for more details on how the TOS defines “employees” and “organization” - any thoughts?

Jack Madden (jackalexandermadden@gmail.com)
2019-01-31 21:45:10

Ah… they’re here but not public, it seems: https://developer.apple.com/terms/

developer.apple.com
Jack Madden (jackalexandermadden@gmail.com)
2019-01-31 21:52:28

I’m sure a lot of companies are now going to audit their usage of the program, at least for piece of mind

aaron (aaron@groundctl.com)
2019-01-31 21:52:28

This is the only way to make apps that (a) is relatively easy to distribute and (b) doesn’t get reviewed by Apple. Originally, the Apple Ts & Cs limited distribution to employees only. Over the last years they added provisions for contractors and customers — when on premises. That’s actually opened up valid use considerably.

Jack Madden (jackalexandermadden@gmail.com)
2019-01-31 21:54:09

Does device ownership matter? What if a customer that’s using it, but the company owns the device?

aaron (aaron@groundctl.com)
2019-01-31 21:54:12

Really the only valid option for apps to individuals is to publish through the App Store. Makes you wonder why these companies don’t do that with their apps. Oh right — it’s because the apps spy on user behavior.

Jack Madden (jackalexandermadden@gmail.com)
2019-01-31 21:57:31

Yeah… there’s market research, and then there’s asking a user to install a profile with a root cert… Makes me curious what popular apps out there are and aren’t using pinning

Simon Hardy-Bistagne (simon@smnhdy.com)
2019-01-31 22:02:08

Meh... I’ll argue that half of our internal apps contain either company sensitive data, or at least data that we wouldn’t want in the public domain.

Internal distribution is the best option in those cases.

Ownership shouldn’t matter, especially as enterprise leasing is now getting popular in many countries so you never actually own the device. Apple even provide this too.

@Jack Madden I think it reminds me a question you asked a while ago about how many devices out there have 3rd pet app signing certs on their devices.

I think we’re going to take another pass at our reports this week and do a quick audit as I think this type or mechanism is a lot more widespread than we think.

👍 Tycho
Jack Madden (jackalexandermadden@gmail.com)
2019-01-31 22:29:13

I guess one question is: Can the app can be structured in such a way that the sensitive data is not in the app itself, and instead entirely contained in content that gets downloaded later (documents, customer records)? Or are the actual coded-in features of the app considered sensitive, and there’s no way to construct the app otherwise?

David F (david.fink@gov.bc.ca)
2019-01-31 23:14:45

@David F has joined the channel

John_seston (john.seston@me.com)
2019-02-01 10:04:54

@John_seston has joined the channel

Damien (damien@gosset.info)
2019-02-01 13:25:37

@Damien has joined the channel

Prapula (prapula@mobilenetwork.com.au)
2019-02-05 04:14:22

@Prapula has joined the channel

Karl Seaton (karl.seaton@wandera.com)
2019-02-07 15:45:15

@Karl Seaton has joined the channel

Simon Hardy-Bistagne (simon@smnhdy.com)
2019-02-07 20:38:57

12.1.4 has dropped

👍 Woody, Tycho
Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-02-07 21:03:10

*Thread Reply:* There are a few twitter accounts or websites which you can follow to receive a notification when a new version is released. i prefer https://twitter.com/iOSReleases

twitter.com
👍 Woody
drew (hello@drewsecomb.com)
2019-02-11 04:07:57

@drew has left the channel

drew (hello@drewsecomb.com)
2019-02-11 04:08:58

@drew has joined the channel

Julio (julio.vita@hotmail.de)
2019-02-11 13:33:23

How do you guys go about testing the new iOS in regards of the facetime bug?

Tycho (tycho@schenkeveld.com)
2019-02-11 13:47:58

We can't test this - the group calls have been disabled by Apple for older iOS versions

Tycho (tycho@schenkeveld.com)
2019-02-11 13:48:17

So you can't really test the actual exploit because it no longer works

Julio (julio.vita@hotmail.de)
2019-02-11 14:17:30

Hm, okay

Tycho (tycho@schenkeveld.com)
2019-02-11 14:49:13

Apple did this as a preliminary mitigation of the bug, in advance of the updated firmware availability

Julio (julio.vita@hotmail.de)
2019-02-11 14:51:29

Yeah, so we’ll have to trust it, since there is noe proper way of testing. Just asking because our security team asked, if we could test this

Mark Vonk (mark.vonk@dahvo.com)
2019-02-11 14:52:40

Well you can test with one device, right? Upgrade to 12.1.4 and test it…

Tycho (tycho@schenkeveld.com)
2019-02-11 14:54:32

Yes you can test that it doesn't work

Tycho (tycho@schenkeveld.com)
2019-02-11 14:54:50

But you can't compare the "working exploit" situation before 12.1.4 with the fixed situation, that's what I mean

Julio (julio.vita@hotmail.de)
2019-02-11 14:56:02

Yeah, I understand. Thanks for your input guys

Jack Madden (jackalexandermadden@gmail.com)
2019-02-12 19:19:15

So, a couple of interesting things here: https://techcrunch.com/2019/02/12/apple-porn-gambling-apps/

TechCrunch
Jack Madden (jackalexandermadden@gmail.com)
2019-02-12 19:19:40

(BTW, it includes some pixelated screenshots of apps, so may be NSFW)

Jack Madden (jackalexandermadden@gmail.com)
2019-02-12 19:20:26

I wonder if Apple might just throw up their hands and restrict enterprise-signed apps to enrolled devices

Simon Hardy-Bistagne (simon@smnhdy.com)
2019-02-12 19:24:06

*Thread Reply:* Hmmmm....

So that's not a crazy idea. Integrate Enterprise apps with the appstore (much like google) would resolve some of the distribution issues.

Interesting they focus so hard onntheporn aspect. As far as I know, making "porn" apps for internal Enterprise use doesn't specifically break and t's&C's, the distribution outside the enterprises certainly is though.

Jack Madden (jackalexandermadden@gmail.com)
2019-02-12 19:21:49

(Also, I want to point out that my colleague wrote an article about this in the beginning of January. We should have just put “porn” in the title to get more attention)

Jack Madden (jackalexandermadden@gmail.com)
2019-02-12 19:22:20

But seriously, it only took about 30 seconds of googling (back in January) to find enterprise-signed apps to side load

rm (roomurdock@icloud.com)
2019-02-12 22:55:10

I agree that moving to enrolled devices only would be a good intermediate. Deploy apps only using the B2B VPP store, not sure how that would affect developing etc though.

NicolasR (raison_nicolas@me.com)
2019-02-12 23:19:52

I think the system doesn’t fit to an MDM world, neither to MAM... updating a certificate every year is a pain in the ** for many admins who don’t control the signing process or simply forget to resign apps.

Customers platforms with more than 20 apps require at least one app signing per month because development cycles are not aligned.

Admins have better to do than signing apps every day....!

NicolasR (raison_nicolas@me.com)
2019-02-12 23:21:11

I stopped counting the number of times customers told me that they failed to renew line of business app signature

jafullersr (jafuller@starbucks.com)
2019-02-13 00:54:02

Build automation and application lifecycle management helps. But I agree. A longer expiry would help for internal app provisioning profiles to align to the distribution cert.

Simon Hardy-Bistagne (simon@smnhdy.com)
2019-02-13 05:56:35

We're at the stage how of having around 120 internal apps using the same cert. Once you come to expiry you can basically resign all at the same time with a new cert via both Airwatch and intune, so we only have to hit new apps individually.

Makes life simpler

👍 Tycho, Woody
Subbzz (s.subiah@septagon.co.nz)
2019-02-13 10:44:55

*Thread Reply:* But if there was a compromise then all your apps are impacted isn't it? Speaking from security perspective.

Simon Hardy-Bistagne (simon@smnhdy.com)
2019-02-13 11:22:41

*Thread Reply:* I don't see any real risks.

All the cert does is allow an app you've created, run on an iOS device outside of the AppStore. If a 3rd party got the cert, then the most they can do is sign their own apps with it until it expires in under 12 months. And that won't impact my security. Potentially if Apple got wind they might can the cert but it's a very unlikely situation. It's no more risky that a company deploying the Root CA cert ot all their desktop devices. It's BAU.

Access to corporate dats on own own internal apps isn't covered by an app signature.

If anything, when I'm signing apps with a single (or small amount) of internal signing cert, i am more confident that the apps on my users devices are genuine. At the moment, I can set my MTD to flag apps which are signed by a 3rd party as a risk, apart from those apps which are carrying my cert. If i had to do that for 150 different certs, all expiring throughout the year i'd have to employ a persona to just carry out the task up updating the MTD policy.

Also, when it comes round to renewals, it's a single, simply push for all my enterprise apps to ensure they keep running. If i had to resign each individually, and redeploy then my life would be hell.

jafullersr (jafuller@starbucks.com)
2019-02-13 15:40:08

*Thread Reply:* The enterprise developer account for internal apps only allows 2 distribution certificates to be in use. So you don’t really have a choice. But I agree with Simon that a single cert or two on rotation with a single team responsible for it, is a much simpler and more manageable approach.

Martin Hillerö (martin.hillero@techstep.se)
2019-02-13 13:50:48

@Martin Hillerö has joined the channel

Julio (julio.vita@hotmail.de)
2019-02-14 08:30:48

https://www.forbes.com/sites/gordonkelly/2019/02/10/apple-ios-12-1-4-problem-iphone-cellular-data-wifi-upgrade-ipad/amp/

Forbes
Julio (julio.vita@hotmail.de)
2019-02-14 08:30:55

https://www.gottabemobile.com/ios-12-problems-5-things-you-need-to-know/

Gotta Be Mobile
Julio (julio.vita@hotmail.de)
2019-02-14 08:31:08

How do you guys go about this?

Julio (julio.vita@hotmail.de)
2019-02-14 08:31:29

Do you recommend to stay on 12.1.3?

Simon Hardy-Bistagne (simon@smnhdy.com)
2019-02-14 08:40:48

Tbh, I pay little credence to Forbes’s reporting of apple bugs.

They always seem to sensationalise a lot of them, even if they are based on only a handful of reports.

I’m certainly recommending the upgrade to 12.1.4

👍 Tycho, Julio, Jack Madden
Mark Vonk (mark.vonk@dahvo.com)
2019-02-14 08:52:17

Easy for Forbes: with every new iOS release they whip out the same article. Search and replace iOS versions and done....

Steve Blake (stephen@palaemon.co.uk)
2019-02-14 13:22:52

@Steve Blake has joined the channel

Simon Hardy-Bistagne (simon@smnhdy.com)
2019-02-14 15:02:38

https://blogs.vmware.com/euc/2019/02/ios-devices-mdm.html

VMware End-User Computing Blog
Tycho (tycho@schenkeveld.com)
2019-02-14 15:43:19

*Thread Reply:* They've done something similar on Mac already, yes..

I would really have preferred if they just put up a big warning screen with the implications instead. Getting the users to hunt around in the settings menu is not great IMO, and it doesn't really address the issue (possibly granting malicious actors access) as well as a good system dialog with a clear warning of what they are about to agree to.

But it's Apple so we'll just have to make do with what they decide.

Damian (support@expertmobilite.com)
2019-02-14 16:02:23

*Thread Reply:* Our users are going to love this...it’s not as if the enrollment procedure isn’t long winded enough in its current form 🙄

👍 Tycho
Damian (support@expertmobilite.com)
2019-02-14 16:12:58

*Thread Reply:* Do you know which iOS GA will include this?

Damian (support@expertmobilite.com)
2019-02-14 16:13:07

*Thread Reply:* It’s not mentioned in the article

Damian (support@expertmobilite.com)
2019-02-14 16:13:20

*Thread Reply:* It’s already in beta - I’ve confirmed and bloody annoying

Julio (julio.vita@hotmail.de)
2019-02-14 16:30:44

*Thread Reply:* Will probably be included in the next minor update or so

Damian (support@expertmobilite.com)
2019-02-14 16:52:33

*Thread Reply:* Yeah but that doesn’t help us prepare 😊 we need to update all our enrollment guides...

Woody (eric.woodland@trust.tc)
2019-02-14 18:25:39

*Thread Reply:* This article should include a visual of Android Enterprise (Work Profile) enrollment as an alternative 😬

😆 Damian, Simon Hardy-Bistagne, Tycho
Rajesh Kumar (rajes20@gmail.com)
2019-02-14 16:33:55

@Rajesh Kumar has joined the channel

Mathieu Bernier (mathieu.bernier@gmail.com)
2019-02-14 20:18:45

@Mathieu Bernier has joined the channel

Antonio U (aurbina@nclcorp.com)
2019-02-14 21:30:36

@Antonio U has joined the channel

Jorn Erik Hornseth (jh@syscomworld.com)
2019-02-14 22:01:49

@Jorn Erik Hornseth has joined the channel

Kern Smith (kern.smith@zimperium.com)
2019-02-14 23:04:58

@Kern Smith has joined the channel

Marc Brandenburg (mobilxperts@marcbrandenburg.com)
2019-02-15 01:27:37

@Marc Brandenburg has joined the channel

Jay Patel (jay991@gmail.com)
2019-02-15 02:25:48

@Jay Patel has joined the channel

Bharat Madimi (madimibharat92@gmail.com)
2019-02-15 06:49:26

@Bharat Madimi has joined the channel

Kjell Eilertsen (kjell.i.eilertsen@gmail.com)
2019-02-15 07:18:24

@Kjell Eilertsen has joined the channel

Erik Baier (erik.baier@nomasis.ch)
2019-02-15 07:58:41

@Erik Baier has joined the channel

Jesper Ståhl (jepsan@gmail.com)
2019-02-15 09:21:44

@Jesper Ståhl has joined the channel

Tobias (tobias.gruenewald@ebf.com)
2019-02-15 09:32:39

Just wanted to share a nice tool for automated build and deployment of In-house Apps: https://ebf.de/en/solutions/incapptic-connect/ https://www.incapptic.com/

} James Fuller (https://mobilxperts.slack.com/team/U7GTV1V6C)
incapptic Connect app signing service
👍 Woody, Rajesh Kumar
Johannes Harbs (harbs.johannes@gmail.com)
2019-02-15 09:41:28

@Johannes Harbs has joined the channel

Sharon (sharon.samson@anz.com)
2019-02-15 10:17:03

@Sharon has joined the channel

Kévin LORET (kevin.loret@gmail.com)
2019-02-15 10:20:45

@Kévin LORET has joined the channel

Khalid (dashingkhalid@gmail.com)
2019-02-15 12:40:56

@Khalid has joined the channel

petarov (petar.petrov@midpoints.de)
2019-02-15 13:03:03

@petarov has joined the channel

Narcwolf (ybier1@gmail.com)
2019-02-15 14:01:38

@Narcwolf has joined the channel

Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-02-15 17:45:27

@Adrian Patrascu has joined the channel

AbhishekPd (abhiprasad04@gmail.com)
2019-02-16 00:52:45

@AbhishekPd has joined the channel

Sharkey (lukesharkey@gmail.com)
2019-02-16 02:39:52

@Sharkey has joined the channel

Thiago Neves (ttn.passos@gmail.com)
2019-02-16 10:45:52

@Thiago Neves has joined the channel

Praneet Gupta (praneetgupta.28@gmail.com)
2019-02-16 17:37:56

@Praneet Gupta has joined the channel

jescala (jorge@jescala.com)
2019-02-17 19:48:51

@jescala has joined the channel

ytakamura (ytakamura@yourinventit.com)
2019-02-18 05:23:45

@ytakamura has joined the channel

Michael Auerbach (mau@conscia.com)
2019-02-18 09:07:52

@Michael Auerbach has joined the channel

Julio (julio.vita@hotmail.de)
2019-02-18 12:38:04

Does anybody have a solution for BYOD on iOS with Workspace One, that would physically separate work and private data? I know the apps are sandboxed and so on, but management keeps asking for a solution similar to workprofile on Android🙄

Simon Hardy-Bistagne (simon@smnhdy.com)
2019-02-18 12:42:23

Sure... give them Outlook Mobile...

Damian (support@expertmobilite.com)
2019-02-18 12:42:41

Yep, Outlook mobile via MAM

Damian (support@expertmobilite.com)
2019-02-18 12:43:17

You also have adaptive management with WS1 - look it up

Damian (support@expertmobilite.com)
2019-02-18 12:44:26

And...in this BYOD scenario you can sign in to WS1 by federating it with your IdP so no messy passwords etc

Jason Bayton (jason@bayton.org)
2019-02-18 12:47:46

But outlook mobile is just a managed app in the same user space with a PIN on the front of it. How is that comparable? 😛

😂 Damian
Julio (julio.vita@hotmail.de)
2019-02-18 12:49:09

Yeah, it is nothing that would separate stuff into Workspace and Private space

Julio (julio.vita@hotmail.de)
2019-02-18 12:49:34

I suppose there is nothing comparable on iOS

Julio (julio.vita@hotmail.de)
2019-02-18 12:49:44

At least I couldn’t find anything like that yet

Damian (support@expertmobilite.com)
2019-02-18 12:49:44

No mate

Damian (support@expertmobilite.com)
2019-02-18 12:50:16

iOS is way behind in BYOD - just ask @Jack Madden he’s blogged this to death 😆

Julio (julio.vita@hotmail.de)
2019-02-18 12:50:36

Yeah, unfortunately^^

Julio (julio.vita@hotmail.de)
2019-02-18 12:51:09

I thought about making use of all the WS1 apps, like Boxer and inbox just to give them “a more secure feeling” but that’s also not it

Damian (support@expertmobilite.com)
2019-02-18 12:53:09

Your best bet is to rely on MAM and maybe install a MTD solution such as Lookout - all depends on how strict your security team is...

Damian (support@expertmobilite.com)
2019-02-18 12:53:40

Boxer requires the MDM agent last time I heard

Damian (support@expertmobilite.com)
2019-02-18 12:54:01

So when you stick an agent on the device it’s not really BYOD 😉

Damian (support@expertmobilite.com)
2019-02-18 12:54:19

All depends on your needs

Damian (support@expertmobilite.com)
2019-02-18 12:54:40

Are you looking for collaboration with the MSFT suite?

Damian (support@expertmobilite.com)
2019-02-18 12:54:51

Or basic email etc

Julio (julio.vita@hotmail.de)
2019-02-18 12:55:03

We are totally on G Suite

Julio (julio.vita@hotmail.de)
2019-02-18 12:55:14

All the apps like Drive, Hangouts Chat etc

Julio (julio.vita@hotmail.de)
2019-02-18 12:55:25

That is what has to be integrated

Julio (julio.vita@hotmail.de)
2019-02-18 12:55:36

Right now our BYOD is what you mentioned, with the agent

Julio (julio.vita@hotmail.de)
2019-02-18 12:55:43

So no actual BYOD

Damian (support@expertmobilite.com)
2019-02-18 12:56:54

Do you have a big iOS population ?

Damian (support@expertmobilite.com)
2019-02-18 12:57:00

Vs Android ?

Julio (julio.vita@hotmail.de)
2019-02-18 12:58:20

Yes, iOS is 75 % of what we have

Julio (julio.vita@hotmail.de)
2019-02-18 12:58:40

We are at almost 5k devices

Anton I (antonn94@gmail.com)
2019-02-18 13:22:04

Anyone using certificate based authentication towards AFDS, on iOS?

Tycho (tycho@schenkeveld.com)
2019-02-18 13:54:46

We're also at about 75% - we want to get towards 50/50 though

Tycho (tycho@schenkeveld.com)
2019-02-18 13:56:45

But with an agent it's not really BYOD? Not sure if I really agree there 🙂 Android Work Profile also requires an agent to manage it.

Tycho (tycho@schenkeveld.com)
2019-02-18 13:58:27

But I agree Work Profile is a really nice solution for balancing work/private life and I really miss this separation on iOS

Julio (julio.vita@hotmail.de)
2019-02-18 13:58:59

Do all of you guys use MAM for BYOD on iOS?

Tycho (tycho@schenkeveld.com)
2019-02-18 13:59:27

No we give the users the option. MDM for full functionality with office WiFi access, VPN, many apps etc. Or MAM with just outlook and nothing else. I don't think MDM is a bad option for BYOD at all as long as you make clear what you manage and what you don't. Most MDMs have clarified that a lot lately (WS1 with its privacy webclip, intune has clear screens during enrolment) PS: Outlook MAM does actually require the authenticator and Intune company portal installed 🙂 But it doesn't need to be enrolled

👍 Julio
LeandroDS (leandro.sole@navita.com.br)
2019-02-18 14:09:19

@LeandroDS has joined the channel

Dmitri A. (dsaltum23@gmail.com)
2019-02-18 15:44:18

@Dmitri A. has joined the channel

Damian (support@expertmobilite.com)
2019-02-18 15:45:46

AFE has its own agent within the encrypted workspace and so is completely separate from the personal space. Therefore an admin only controls that part. It’s not the same as iOS. Even if you limit what can be done via the agent it still doesn’t stop an admin with a grudge changing the settings and for example wiping the entire device! I can tell you from experience that our USA office won’t even entertain an agent on a personal device.

👍 Tycho
Tycho (tycho@schenkeveld.com)
2019-02-18 17:06:36

*Thread Reply:* That first part (the admin only controls the work profile) is not strictly the case, even in standard work profile modes (not COPE or COBO) you can control several things at the device level. For example we block sideloading even on the 'main' side of the phone through the agent, and we load WiFi profiles with certificates. We also install lookout that scans a lot on the phone and the surrounding networks.

But yes, the phone personal data is much better protected from the agent on a work profile. I also really like the way you can just switch off the work side. Apple has a lot of catching up to do there.

Damian (support@expertmobilite.com)
2019-02-18 17:37:57

*Thread Reply:* True, from an Android perspective we do enforce encryption of the device and a device password but in regards to splitting work from personal its night and day...

👍 Tycho
Tycho (tycho@schenkeveld.com)
2019-02-18 17:47:42

*Thread Reply:* Oh yeah true, I forgot those but we do them as well 🙂

NicolasR (raison_nicolas@me.com)
2019-02-18 21:49:38

*Thread Reply:* Not completely true. An admin can set the permissions of the MDM profile and for instance prevent full wipe of the device. Possible with MobileIron Core but not Airwatch I think

NicolasR (raison_nicolas@me.com)
2019-02-18 21:50:17

*Thread Reply:* In that case, user see during installation of the MDM profile a statement accordingly to the permissions

Damian (support@expertmobilite.com)
2019-02-20 16:54:50

*Thread Reply:* Not sure what you mean by preventing full wipe via the MDM profile via admin... isn’t it the same as restricting the option to wipe the device in the AW role permissions of the admin accounts?

NicolasR (raison_nicolas@me.com)
2019-02-20 17:57:38

*Thread Reply:* Nope. An MDM profile can have a set of permissions that are set inside the payload which prevent the MDM to take the action even if the UI allows this.

Damian (support@expertmobilite.com)
2019-02-20 18:01:34

*Thread Reply:* I see what you mean

Damian (support@expertmobilite.com)
2019-02-20 18:01:48

*Thread Reply:*

Damian (support@expertmobilite.com)
2019-02-20 18:02:09

*Thread Reply:* So you can do this in Mobileiron but not AirWatch ?

NicolasR (raison_nicolas@me.com)
2019-02-20 21:14:40

*Thread Reply:* AFAIK...

Damian (support@expertmobilite.com)
2019-02-18 15:46:17

But every company has its own policies and use cases

Damian (support@expertmobilite.com)
2019-02-18 15:48:35

We recently asked VMware to create a new feature for us that requests multiple PIN validations for any admin modification of privacy settings or higher function admin mods like device wipe. No news as of yet...

Damian (support@expertmobilite.com)
2019-02-18 15:49:08

At least that goes some way in reassuring our compliance/security teams

Jason Bayton (jason@bayton.org)
2019-02-18 15:55:29

> So when you stick an agent on the device it’s not really BYOD 😉

What sort of nonsense is that? 😛 you bring a personal device into a corporate setting, that's BYOD, not whether or not there's an agent defining how corp data is accessed.

Agree with everything else though..

👍 Tycho
Damian (support@expertmobilite.com)
2019-02-18 17:56:47

*Thread Reply:* Figure of speech, not nonsense 😝

I’m not trying to define BYOD as to whether or not the device has an agent. An agent on an iOS device in the traditional sense is MDM which allows an admin to do what they like if they have the rights...MAM on the other hand is an acceptable scenario for BYOD as long it covers jailbreak, minimum OS version etc...device passcode enforcement however requires MDM. Again, not easy to define a true BYOD policy for iOS.

Himali (himalipethe@gmail.com)
2019-02-18 16:37:46

@Himali has joined the channel

Damian (support@expertmobilite.com)
2019-02-18 16:52:55

@Jason Bayton if you really think about it, the presence of an agent freaks people out. You can list everything that an admin can do and the privacy settings (data collected etc) but you can’t really take away the fact that an agent on the device (talking about iOS here) means that anything is possible. I’m not comfortable with that but other people don’t give a damn...and that’s also cool 😊

Jason Bayton (jason@bayton.org)
2019-02-18 16:55:01

Oh yeah, iOS BYOD is defined by policy rather than.. device, but I don't think that changes the definition of BYOD

Damian (support@expertmobilite.com)
2019-02-18 17:35:04

*Thread Reply:* Not easy to define BYOD on iOS mate 😉

aaron (aaron@groundctl.com)
2019-02-18 19:50:36

Maybe not everyone is clear what is meant by “agent” on iOS. Sure, there may be an app that accompanies the MDM, like Hub for AirWatch. But that’s just a sandboxed iOS app like every other sandboxed iOS app on your device. It has no special access to the OS just because it comes from an MDM. The app can’t wipe your device, can’t send data to your MDM, and doesn’t do anything when it is in the background.

aaron (aaron@groundctl.com)
2019-02-18 19:51:16

The real MDM agent is an Apple process named mdmd which is present on EVERY iOS device, whether it is enrolled in MDM or not.

aaron (aaron@groundctl.com)
2019-02-18 19:51:34

You can manage device just fine with MDM even if their apps are not installed.

aaron (aaron@groundctl.com)
2019-02-18 19:52:36

Maybe some of you knew this already — if so apologies — but it’s not always well understood.

👍 Marc Brandenburg, Damian, Simon Hardy-Bistagne, Jason
Damian (support@expertmobilite.com)
2019-02-18 20:33:31

@aaron it’s always good to delve into the details! Correct me if I’m wrong but all the agent apps do is ask for permission to access the APIs right?

Damian (support@expertmobilite.com)
2019-02-18 20:34:06

An XML file which contains the config profile

Marc Brandenburg (mobilxperts@marcbrandenburg.com)
2019-02-18 21:11:50

*Thread Reply:* Everything is done with Apple's MDM Protocol...there's no need for an agent. : )

https://developer.apple.com/business/documentation/MDM-Protocol-Reference.pdf

aaron (aaron@groundctl.com)
2019-02-18 20:36:31

Not sure they all do that even.

Matthew Shaver (mshaver@us.ibm.com)
2019-02-18 21:11:19

Most of them do it via the web. No need to have the app at all depending on the scenario

Matthew Shaver (mshaver@us.ibm.com)
2019-02-18 21:11:46

I think Apple even asks EMMs to move away from any sort of app based enrollment requirements

Julio (julio.vita@hotmail.de)
2019-02-18 21:18:14

But what I saw is that most EMM can only do so much, if you don‘t have an app installed

Matthew Shaver (mshaver@us.ibm.com)
2019-02-18 21:37:24

Not totally true depending on what you are trying to accomplish (and who the EMM is, I suppose): Without app: All configs (wifi/vpn/mail in apple client) Device restrictions App distribution/management Device customization (home screen, wallpaper, etc) Actions - wipe, reset passcode, mark as lost

With app (capabilities that most EMMs provide, there may be others not here): Locations services (can be disabled by user) EMM specific mail client/doc container Messaging (in the agent - not iMessage) Add ons - browser, document editors, VPN and some sort of gateway agent maybe

aaron (aaron@groundctl.com)
2019-02-18 23:17:23

Good list.

Damon Hawkins (dhawkins@vmware.com)
2019-02-19 00:41:41

@Damon Hawkins has joined the channel

Mark Vonk (mark.vonk@dahvo.com)
2019-02-19 05:48:45

Even though not very important anymore; the MDM client can do jailbreak detection and some device-local conditional access / compliance enforcement also.

Julio (julio.vita@hotmail.de)
2019-02-19 08:01:49

Why shouldn’t it be important? Also compliance enforcement is an important thing🤔

Mark Vonk (mark.vonk@dahvo.com)
2019-02-19 08:59:35

I do not think Jailbreaking is really a thing anymore, except for a select few. Rooting seems to be a lot more common. Device local conditional access / compliance enforcement is important, but it seems limited (probably due to the fact that the MDM client is not really an admin on the device)

Damian (support@expertmobilite.com)
2019-02-19 10:01:45

Jail breaking allows a user to download any app (Cydia, SSH etc) without being checked by Apple. A lot of those apps have been repackaged which means people can add dodgy stuff...therefore those apps may have control to features you may not want them to have control to...IMO jailbreak detection is still very important.

Julio (julio.vita@hotmail.de)
2019-02-19 10:05:26

A lot of people use profiles to add non official “App Stores” to their device and download apps that have been altered by god knows who

NicolasR (raison_nicolas@me.com)
2019-02-19 10:05:57

No need to jailbreak to access non official app store 😉

Julio (julio.vita@hotmail.de)
2019-02-19 10:05:59

The classical way of jailbreaking is not there anymore, I agree, but people have already found multiple different ways to go about this

Carl Barrett (cbarrett@live.co.uk)
2019-02-19 10:17:30

@Carl Barrett has joined the channel

Antonio Maiello (amaiello@mobileiron.com)
2019-02-19 16:14:09

@Antonio Maiello has joined the channel

Yasar (siddiqui.arfat@yahoo.in)
2019-02-20 11:46:37

@Yasar has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-02-20 13:18:42

Is there a way to open company links received via Email+ only with MobileIron Web@Work (and prohibit Safari for these links) and allow non-company links with Safari? I doubt there is such a way. Of course internal website which are only available for Web@Work can‘t be access with Safari without the use of Tunnel anyway

Jason (jasonh@bridgeway.co.uk)
2019-02-20 13:21:28

*Thread Reply:* Only if you can rewrite them in the form of: mibrowser://<intranet_link>

MichaelM21 (mike.miller815@yahoo.com)
2019-02-20 13:22:58

*Thread Reply:* Ok got it. Like rewriting intranet link with Exchange, not sure if that is possible

Jason (jasonh@bridgeway.co.uk)
2019-02-20 13:26:48

*Thread Reply:* Pass, beyond my level of knowledge, I’m afraid. Is Safari + Tunnel not suitable for your needs?

MichaelM21 (mike.miller815@yahoo.com)
2019-02-20 13:29:15

*Thread Reply:* Tunnel is Platinum 😜 we only have Gold!

Jason (jasonh@bridgeway.co.uk)
2019-02-20 13:32:23

*Thread Reply:* Ok, so it’s not a valid security risk reason why you’re not upgrading, just that you’re being tight-fisted? 😉

Jason (jasonh@bridgeway.co.uk)
2019-02-20 13:34:34

*Thread Reply:* Joking aside, Tunnel is a tremendously powerful and user-friendly feature that accelerates adoption, use and satisfaction for many organisations - though I can’t make the value vs price decision for your company, of course.

Almar Diehl (almar.diehl@blaud.com)
2019-02-20 13:37:31

*Thread Reply:* You can use the KVP’s: allowsafaribrowser = false, emailurlschemehttp=mibrowser and emailurlschemehttps=mibrowser

👍 Mark Vonk, Tycho, MichaelM21, Jason
MichaelM21 (mike.miller815@yahoo.com)
2019-02-20 14:05:07

*Thread Reply:* @Almar Diehl 👍:skintone2: great, thank you. That would mean links received via Email+ would only open with Web@Work, sounds good. Non-Company links received via Email+ would then also be opened with W@W, so I think there is no way to differentiate by domain name. @Jason yes I agree with you, Tunnel is great but not in the budget right now.

FullMobile (mihai.zapuc@gmail.com)
2019-02-20 14:51:08

@FullMobile has joined the channel

Srikanth (srikanth.gone@live.com)
2019-02-21 09:31:33

@Srikanth has joined the channel

Yasar (siddiqui.arfat@yahoo.in)
2019-02-21 13:26:33

Congrats @Adrian Patrascu well composed and easily understandable blog. Will it impact only the initial enrollment of BYOD devices in EMM? or Corporate owned devices will also get impacted?

👍 Adrian Patrascu, JF Rigot, Russell Mohr, Woody
🍾 Russell Mohr
Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-02-21 13:27:21

*Thread Reply:* Thank you Yasar. Glad to be of help!

Julio (julio.vita@hotmail.de)
2019-02-21 19:39:06

*Thread Reply:* Corporate owned enrolled with DEP is not affected @Yasar

👍 Yasar
Developer (anujbahuguna.dev@gmail.com)
2019-02-21 17:37:23

@Developer has joined the channel

danlux (dan.luchsinger@dignityhealth.org)
2019-02-21 18:43:33

@danlux has joined the channel

Jesus Latorre (jesocas@us.ibm.com)
2019-02-21 18:58:33

@Jesus Latorre has joined the channel

Ole Daugaard (odaugaard@gmail.com)
2019-02-22 12:48:51

@Ole Daugaard has joined the channel

Sebastian (registration@talue.fr)
2019-02-22 20:29:56

@Sebastian has joined the channel

Matt Dermody (jmdermody@gmail.com)
2019-02-23 03:12:15

@Matt Dermody has joined the channel

Bilgin (bilginbaldji@yahoo.co.uk)
2019-02-23 18:30:05

@Bilgin has joined the channel

Mathieu Maillet (mathieumaillet.fr@gmail.com)
2019-02-23 22:35:46

@Mathieu Maillet has joined the channel

Adrien Blaise (adrien@appaloosa-store.com)
2019-02-26 15:35:22

@Adrien Blaise has joined the channel

Markus Güntner (markus.guentner@outlook.com)
2019-02-27 06:58:31

@Markus Güntner has joined the channel

Suneil (suneil.sastri@soti.net)
2019-02-27 23:37:22

@Suneil has joined the channel

Pierre (pierre.tabanous@digitaldimension.fr)
2019-02-28 16:01:06

@Pierre has joined the channel

Ben (ben.witt@bb10qnx.de)
2019-02-28 19:34:47

@Ben has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-03-01 14:34:47

Interesting Use Case - iCloud Photo stream is allowed for personal use for one customer. Looking for sort of business context camera and gallery application for integration with MobileIron, so private and business data can be separated and the business photos will not end up in the iCloud Photo Stream. Any pointers for a good app that could be used for that?

Matthew Shaver (mshaver@us.ibm.com)
2019-03-01 18:12:24

*Thread Reply:* Devils advocate if I may - what would be the point? There would still be nothing stopping the user from taking the photo and saving it to their personal stream. Doesn’t MI provide a containerized documentation app that could be used for securely storing anything business related?

🙏 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-03-01 19:22:42

*Thread Reply:* Agreed, but same goes for Android Enterprise then, where you can also have two camera apps. In the end it is up to the user, but they need to sign a waiver for that. Yes, Docs@Work but you can‘t take pictures with Docs@Work though.

Matthew Shaver (mshaver@us.ibm.com)
2019-03-01 20:02:13

*Thread Reply:* I can definitely recommend some camera apps to unify the experience in AE work profile, but nothing on iOS - though a Box For EMM account would probably do the trick if there is the budget for it. We use it internally and between that and Slack, I barely touch my email for internal communications anymore 😂

JP Guldfeldt (jpguldfeldt@hotmail.com)
2019-03-04 05:31:56

*Thread Reply:* You Can use Captor https://marketplace.mobileiron.com/listing/captor%20for%20mobileiron

marketplace.mobileiron.com
👍 MichaelM21
Thibaut Bellon (thibaut@mobinergy.com)
2019-03-01 19:46:44

@Thibaut Bellon has joined the channel

Ankur Acharya (ankuracharya@gmail.com)
2019-03-01 23:36:28

@Ankur Acharya has left the channel

ygini (y@abelionni.com)
2019-03-02 09:13:46

@ygini has joined the channel

Nils Gerloff (nils.gerloff@your-side.de)
2019-03-05 11:27:57

@Nils Gerloff has joined the channel

Nafes Choudhry (choudhry.nafes@gmail.com)
2019-03-07 19:03:35

@Nafes Choudhry has joined the channel

Sharkey (lukesharkey@gmail.com)
2019-03-08 13:11:18

Are any of you using anything to sync a large contact list across iOS devices? I need it to be able to be used in the phone for caller ID etc. Don't want to to do it across mailboxes using active sync.

Sragnob (maartinos@gmail.com)
2019-03-08 13:15:04

@Sragnob has joined the channel

Jesus Latorre (jesocas@us.ibm.com)
2019-03-08 13:44:40

Try a cardav server. We have clients that use like an open source version to push down contacts in bulk via MDM

ygini (y@abelionni.com)
2019-03-08 13:51:07

Can’t you rely on the CRM app for that?

Sharkey (lukesharkey@gmail.com)
2019-03-08 14:01:49

Which CRM app?

Bartosz Leoszewski (leoszewski@gmail.com)
2019-03-13 15:05:20

@Bartosz Leoszewski has joined the channel

ygini (y@abelionni.com)
2019-03-14 14:49:58

@Sharkey the CRM app used by the company, it’s the CRM job to manage a large contact list for the company

Daniel (d.weber@netze-bw.de)
2019-03-14 19:21:02

@Daniel has joined the channel

Ladislav Blazek (ladislav@lblazek.cz)
2019-03-15 17:40:42

@Ladislav Blazek has joined the channel

Julio (julio.vita@hotmail.de)
2019-03-19 10:00:54

If somebody forgot his iphone password and the device is not connecting to wifi or mobile data anymore, is there a way of resetting the passcode other than factory resetting the phone using “Restore”?

Mark Vonk (mark.vonk@dahvo.com)
2019-03-19 10:02:23

No, not really. You can insert a pincode-less SIM card and see if it connects to the mobile network

Julio (julio.vita@hotmail.de)
2019-03-19 10:02:42

Yeah, sometimes that works and sometimes it dont

Julio (julio.vita@hotmail.de)
2019-03-19 10:02:46

Unfortunately

NicolasR (raison_nicolas@me.com)
2019-03-19 11:36:10

Use Ethernet to connect the device to a network?

Tycho (tycho@schenkeveld.com)
2019-03-19 11:45:41

On an iPhone? 🙂

Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-03-19 11:55:40

@Julio had the same issue with one of our customers about a month ago. they did the trick with the pincode-less simcard. the 3g/4g connection is made upon the pincode screen when the sim has no pincode. when the sim has a pincode, the phone must be unlocked before the simcard makes it's connection

Mark Vonk (mark.vonk@dahvo.com)
2019-03-19 11:57:47

I think on some iOS versions, this did not work however. With the latest versions of iOS, it does seem to work properly again.

Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-03-19 11:58:50

Same experience here. Also, there was a time that the sim-pincode was asked in an pop-up on the passcode screen but that was a long time ago

Mark Vonk (mark.vonk@dahvo.com)
2019-03-19 12:00:53

As for Ethernet: you can buy (yet another) dongle to supplement your life in Apple’s bubble: https://9to5mac.com/2017/03/01/ios-10-2-ethernet-adapter-ui-settings-app/

9to5Mac
👍 Sharkey
Tycho (tycho@schenkeveld.com)
2019-03-19 17:24:23

*Thread Reply:* Ok I did not know that.. Thanks!!

Julio (julio.vita@hotmail.de)
2019-03-19 13:27:12

The sim card trick did the job, thanks guys

Julio (julio.vita@hotmail.de)
2019-03-19 13:27:44

@Mark Vonk I also made the experience with previoous versions, that sometimes it worked and sometimes it didn’t

NicolasR (raison_nicolas@me.com)
2019-03-19 17:08:41

Ethernet one saved a customer that played with WiFi Whitelisting 😄

😆 Woody
NicolasR (raison_nicolas@me.com)
2019-03-19 17:09:12

120 devices impacted => Amazon.com > Bought dongle 😄

Nick (nickdiaz@gmail.com)
2019-03-20 20:29:44

@Nick has joined the channel

Sean (kenney.seanp@gmail.com)
2019-03-20 20:46:46

@Sean has joined the channel

aaron (aaron@groundctl.com)
2019-03-21 11:32:06

Via 9to5mac, Apple has added Federated Identity with Azure AD to Apple School Manager. This is for SCHOOL manager, not BUSINESS manager, for now; and only for Managed Apple IDs, which are not at all common in business. But good to see Apple embracing SAML for their own web services — very open!

https://help.apple.com/schoolmanager/#/apdb19317543

👍 Woody, Jesus Latorre, iMZ
Sharkey (lukesharkey@gmail.com)
2019-03-21 11:47:22

Possibly a beginning to managed business apple ID's

Sharkey (lukesharkey@gmail.com)
2019-03-21 11:47:24

nice

Konstantinos Leivadaros (amigodeluxe@gmail.com)
2019-03-21 14:31:44

@Konstantinos Leivadaros has joined the channel

Jack Madden (jackalexandermadden@gmail.com)
2019-03-21 16:56:48

Wow, great news. (First thing I did was check out ABM to see if it had changed, too…)

Jack Madden (jackalexandermadden@gmail.com)
2019-03-21 16:59:03

I wonder if they’re really limiting it to just AAD for now, or if you could get another SAML IdP to work

Jay (jay@project-xy.com)
2019-03-21 17:00:42

Looking at the info.. surely any IDP would work as its just SAML?

Woody (eric.woodland@trust.tc)
2019-03-21 17:15:55

Is it using federation just for access to the ABM portal or for device enrollments, etc?

aaron (aaron@groundctl.com)
2019-03-21 18:52:11

@Woody neither.

👍 Woody
aaron (aaron@groundctl.com)
2019-03-21 18:52:38

It uses SAML for Managed Apple IDs, automatically creating new Apple IDs if needed.

aaron (aaron@groundctl.com)
2019-03-21 18:52:57

Access to the ASM portal an device enrollment is still user/password.

Woody (eric.woodland@trust.tc)
2019-03-21 18:56:41

Okay. So some sort of JIT-ish approach

Stephen (stephen.stansfield@oa.mo.gov)
2019-03-22 16:29:39

@Stephen has joined the channel

Adam Case (ajcase@us.ibm.com)
2019-03-22 21:43:57

@Woody Apple is using SAML but they aren’t opening it up to other IdPs it seems

Adam Case (ajcase@us.ibm.com)
2019-03-22 21:45:07

All their docs are only related to AzureAD.

aaron (aaron@groundctl.com)
2019-03-25 19:22:21

iOS 12.2 is out.

👍 Sharkey
aaron (aaron@groundctl.com)
2019-03-25 19:24:57

Same build# as last beta.

Mark Vonk (mark.vonk@dahvo.com)
2019-03-25 19:25:16

does it contain the new MDM profile workflow?

Rajesh Kumar (rajes20@gmail.com)
2019-03-26 05:57:13

*Thread Reply:* Yes..you need to manually install the profile by going into settings. I just checked on my ios device with intune

👍 Adrian Patrascu
Mark Vonk (mark.vonk@dahvo.com)
2019-03-25 19:25:35

(could check obviously, but did not have the time yet)

Jesus Latorre (jesocas@us.ibm.com)
2019-03-25 19:26:18

yes it does @Mark Vonk

Mark Vonk (mark.vonk@dahvo.com)
2019-03-25 19:27:49

Thanks!

Mark Vonk (mark.vonk@dahvo.com)
2019-03-25 20:31:12

Indeed, confirmed

Matthew Shaver (mshaver@us.ibm.com)
2019-03-27 17:23:52

iOS 12.3 beta is out: https://www.macrumors.com/2019/03/27/apple-seeds-ios-12-3-beta-to-developers/ Appleseed has been updated

macrumors.com
Matthew Shaver (mshaver@us.ibm.com)
2019-03-28 13:47:49

Part of the iOS 12.3 beta is a feedback survey about the manual MDM enrollment changes (profile workflows). I'd recommend telling a friend to tell a friend to take it. I doubt Apple will do anything, but I've heard nothing but negative feedback and it may be useful for Apple to hear it as well, if only to prevent further changes like this in the future.

If you install the beta, login to the Apple Feedback app and look for the "January 2019 - Profile Experience Test Plan" survey

👍 Adrian Patrascu, Daniel
NicolasR (raison_nicolas@me.com)
2019-03-28 13:54:39

*Thread Reply:* The infinite problem with apple is that they act and after only they think that maybe they impacted businesses...

NicolasR (raison_nicolas@me.com)
2019-03-28 13:54:49

*Thread Reply:* Thanks anyway

MichaelM21 (mike.miller815@yahoo.com)
2019-03-28 14:23:02

What is the best way to gather ActiveSync logs from the native mail app without macOS?

Jesus Latorre (jesocas@us.ibm.com)
2019-03-28 14:24:51

if you have a developer account, you can get a syslog profile from Apple which will include logging for native mail. A lot of it is privatize though, but should help depending on what you're doing.

🙏 MichaelM21
Jesus Latorre (jesocas@us.ibm.com)
2019-03-28 14:25:11

https://developer.apple.com/bug-reporting/profiles-and-logs/

developer.apple.com
Jesus Latorre (jesocas@us.ibm.com)
2019-03-28 14:25:37

then you can generate the syslogs from the device as a zip file and then simply move it around using iTunes

MichaelM21 (mike.miller815@yahoo.com)
2019-03-28 15:27:33

Ok thanks. Is there a better way with macOS?

Jesus Latorre (jesocas@us.ibm.com)
2019-03-28 15:31:22

you could use ACU2 console logs to gather what you need, but a lot of the debugging there has been moved to syslogs

Jesus Latorre (jesocas@us.ibm.com)
2019-03-28 15:32:00

so you might not get what you need like you can with syslogs. If you have macOS, you could easily airdrop the zipped syslogs once generated from your iDevice to your macOS

🙏 MichaelM21
David Behra (david@mobinergy.com)
2019-03-28 21:57:29

@David Behra has joined the channel

Tim Rudolph (me@timrudolph.net)
2019-03-29 14:07:35

@Tim Rudolph has joined the channel

noodl35 (david.v.nguyen@zurichservices.com)
2019-03-29 15:50:51

@noodl35 has joined the channel

Peter (p.ketterer@netze-bw.de)
2019-04-01 13:54:47

@Peter has joined the channel

Matthew Shaver (mshaver@us.ibm.com)
2019-04-02 18:09:52

Is there a difference between the iOS device level logs pulled from Xcode vs. AC2 vs. Console? My understanding was “no” that it’s the same, and that advanced logging is all via the sysdiagnose profile

Sharkey (lukesharkey@gmail.com)
2019-04-02 18:14:25

yeah, they are all the same console logs

Matthew Shaver (mshaver@us.ibm.com)
2019-04-02 18:15:20

Thanks for verifying. I think this dev is just being picky for no reason

Beth (elizabeth.borgmeyer@oa.mo.gov)
2019-04-03 18:04:42

@Beth has joined the channel

iMZ (mark_zimmermann@me.com)
2019-04-03 19:48:42

@iMZ has joined the channel

Yasar (siddiqui.arfat@yahoo.in)
2019-04-05 11:21:17

Which is the best product to manage Mac devices?

NicolasR (raison_nicolas@me.com)
2019-04-05 11:27:37

*Thread Reply:* I would say, depending on your needs 😉 Some will say Jamf, other will say UEM vendor such as Vmware or MI... but again, it really depends

Julio (julio.vita@hotmail.de)
2019-04-05 12:15:18

*Thread Reply:* Jamf

Jay (jay@project-xy.com)
2019-04-05 12:35:45

*Thread Reply:* Had a look at Fleetsmith? (https://www.fleetsmith.com/)

aaron (aaron@groundctl.com)
2019-04-05 12:42:07

*Thread Reply:* Here’s “best” for Uber: https://mobilxperts.slack.com/archives/C1U1G6PGR/p1554395025040900

} Mike Elrod (https://mobilxperts.slack.com/team/UE2DW1H8E)
NicolasR (raison_nicolas@me.com)
2019-04-05 12:43:00

*Thread Reply:* Uber is a MobileIron (Cloud) customer :-)

Yasar (siddiqui.arfat@yahoo.in)
2019-04-08 13:07:15

*Thread Reply:* Thank you for the suggestions. Will study all of them considering my needs.

MichaelM21 (mike.miller815@yahoo.com)
2019-04-06 07:37:44

When we receive a telephone number with the native mail app or a container PIM client, is it somehow possible to open the phone number with a different calling app and not with the native caller? Calling via Cisco Jabber - The use case is phone numbers which have been received via mail should be called via Cisco Jabber with one tap on the number. I doubt that this is possible regardless of the MDM solution

NicolasR (raison_nicolas@me.com)
2019-04-06 15:35:22

*Thread Reply:* CommunicationServiceRules

Optional. The communication service handler rules for this account. The CommunicationServiceRules dictionary currently contains only a DefaultServiceHandlers key; its value is a dictionary which contains an AudioCall key whose value is a string containing the bundle identifier for the default application that handles audio calls made to contacts from this account.

🙏 MichaelM21
NicolasR (raison_nicolas@me.com)
2019-04-06 15:35:42

*Thread Reply:* All MDM can, including core

NicolasR (raison_nicolas@me.com)
2019-04-06 15:37:03

*Thread Reply:* It is in the exchange payload

🙏 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-04-07 07:59:22

*Thread Reply:* Thanks @NicolasR, totally missed that one! 🙈👍:skintone2:

🍻 NicolasR
iMZ (mark_zimmermann@me.com)
2019-04-06 20:12:06

Did someone know where I can finde url schema definitions for the iOS version of the kaizala messenger ?

Damian (support@expertmobilite.com)
2019-04-08 14:08:18

Anyone know where the ‘never’ option in auto-lock has gone? It used to be there in previous versions ...

Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-04-08 14:13:44

*Thread Reply:* Thought that the option was only removed when an Echange mail was configured.

Damian (support@expertmobilite.com)
2019-04-08 14:14:14

*Thread Reply:* Nope, can’t find it on all of my iOS devices - seems they removed it

Damian (support@expertmobilite.com)
2019-04-08 14:14:33

*Thread Reply:* Sucks if I need to test an app that needs to be kept in the foreground

Damian (support@expertmobilite.com)
2019-04-08 14:14:44

*Thread Reply:* Typical of Apple - I’m going to open a case

Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-04-08 14:16:06

*Thread Reply:* I still have that option "Never" in "Automatic lock".

Damian (support@expertmobilite.com)
2019-04-08 14:17:08

*Thread Reply:* Ok I’ll double check we haven’t set a restriction for this

Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-04-08 14:17:11

*Thread Reply:* Settings > Display & Brightness > Auto-Lock > Never

Damian (support@expertmobilite.com)
2019-04-08 14:17:23

*Thread Reply:* Yeah I don’t see that option

Damian (support@expertmobilite.com)
2019-04-08 14:18:07

*Thread Reply:*

Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-04-08 14:18:42

*Thread Reply:* Then there must be something configured or installed(policies/restrictions) that blocks that option

Damian (support@expertmobilite.com)
2019-04-08 14:19:19

*Thread Reply:* Yep that’s my thinking - checking now

Damian (support@expertmobilite.com)
2019-04-08 14:19:28

*Thread Reply:* Probably a reason for it security wise

Damian (support@expertmobilite.com)
2019-04-08 14:23:46

*Thread Reply:* Yep iOS passcode profile set to 5 mins 🤦‍♂️

Lukasz (lukasz_wawrzyniak@symantec.com)
2019-04-08 16:40:21

@Lukasz has joined the channel

Matthew Shaver (mshaver@us.ibm.com)
2019-04-08 18:12:45

iOS 12.3 beta 2 is out. Appleseed has not been updated yet

Jay (jay@project-xy.com)
2019-04-08 18:16:10

👍:skintone2:

Justin Butts (justin.butts777@gmail.com)
2019-04-09 15:26:07

@Justin Butts has joined the channel

aaron (aaron@groundctl.com)
2019-04-09 17:24:03

Hey all — we are looking for someone to do some contract work to rebuild one of our iOS apps. I’d love a recommendation or intro from anyone in this group.

aaron (aaron@groundctl.com)
2019-04-09 17:24:36

*Thread Reply:* It’s a pretty simple app, and we are looking to add some BLE (Bluetooth Low Energy) and proximity features. Experience with those systems would be ideal. But in general a solid developer would be great, for approx 1 month part time.

Woody (eric.woodland@trust.tc)
2019-04-09 18:50:55

*Thread Reply:* @aaron I’ve got a guy. @jj Need to see if he’s got any availability

jj (jj@autolean.com)
2019-04-09 18:52:01

*Thread Reply:* 👋

👋 Woody
MichaelM21 (mike.miller815@yahoo.com)
2019-04-11 07:34:49

Hey everybody, anyone using Cisco Jabber with SSO? I was wondering if this is supported by the application similar like OAuth with Native mail app.

NicolasR (raison_nicolas@me.com)
2019-04-11 08:41:40

*Thread Reply:* what do you mean by similar to native mail app?

MichaelM21 (mike.miller815@yahoo.com)
2019-04-11 15:15:08

*Thread Reply:* With the Modern Authentication option within the Exchange config where you can authenticate against an idP (OAuth). Not sure if this can also be done with Jabber on iOS

Lukasz (lukasz_wawrzyniak@symantec.com)
2019-04-12 09:57:29

*Thread Reply:* you can use federation and any SAML based SSO with Jabber so yes you can auth agains other IDP

🙏 MichaelM21
Julio (julio.vita@hotmail.de)
2019-04-11 11:52:34

Hi, maybe it suits better here; I’m having issues with iOS devices that are enrolling into my Workspace One environment. The devices are enrolling but not picking up compliance policies, profiles and assigned apps. When U check under Troubleshooting and Command, I see this;

Johannes Harbs (harbs.johannes@gmail.com)
2019-04-11 12:07:51

*Thread Reply:* We had an issue with one of our customers, where smartgroups were not applied to newly registered devices. The issue was solved by an update of the system.

Manual workaround that worked for us was to open the smart group and save it again (no changes needed). This applied the smart group to all currently enrolled devices.

Julio (julio.vita@hotmail.de)
2019-04-11 12:09:47

*Thread Reply:* You opened each smart group and just saved it again?

Johannes Harbs (harbs.johannes@gmail.com)
2019-04-11 12:10:36

*Thread Reply:* Yes. Solved the issue temporarily until we implemented the upgrade.

Julio (julio.vita@hotmail.de)
2019-04-11 12:13:02

*Thread Reply:* Is that then a system error, so a ticket with VMware should be openend? We are on SaaS, so it’s a bit difficult to update by ourselves, especially since we just received the last update yesterday or so.

Johannes Harbs (harbs.johannes@gmail.com)
2019-04-11 12:20:24

*Thread Reply:* It was a system error on our system (on-prem), so I would suggest to open a ticket with VMware.

Julio (julio.vita@hotmail.de)
2019-04-11 12:21:44

*Thread Reply:* Okay, thank you very much.

Mirco Reimer (slack@mircoreimer.de)
2019-04-11 14:02:44

*Thread Reply:* usually on-prem this is a hanging Smart Group Service or maybe even crashed

Julio (julio.vita@hotmail.de)
2019-04-11 14:13:19

*Thread Reply:* Read it in the documentation, but since we are SaaS I assume there is nothing we can do except from opening a ticket right?

Mirco Reimer (slack@mircoreimer.de)
2019-04-11 14:24:47

*Thread Reply:* yeah ticket only

👍 Julio
Damian (support@expertmobilite.com)
2019-04-11 21:48:55

*Thread Reply:* Known issue - check it out!

Julio (julio.vita@hotmail.de)
2019-04-11 11:59:09

I figured out, that the devices affected by this are in the right OU but do not get assigned to the right smart groups

Tycho (tycho@schenkeveld.com)
2019-04-11 12:17:42

Hm still, if the assignment was incorrect it wouldn't even queue the request normally

🤔 Julio
Jordan Philip (jordan.philip@mobilesolutions.net)
2019-04-11 15:29:48

@Jordan Philip has joined the channel

Jacques Aing (jacques.aing@digitaldimension.fr)
2019-04-12 09:50:36

@Jacques Aing has joined the channel

Julio (julio.vita@hotmail.de)
2019-04-12 13:52:26

how can i trigger an OS lookup and update on ios devices that don’t have the hub application installed? i have a bunch of devices, that are already updated but in the system you see the last scan for profiles, apps and stuff is from a month ago, even though device last seen is from today.

Sharkey (lukesharkey@gmail.com)
2019-04-12 13:54:34

*Thread Reply:* Do you have access to the device? Maybe it’s on but locked. In which case it would not report much information since its locked. It would respond but iOS limits information when locked.

Julio (julio.vita@hotmail.de)
2019-04-12 13:56:37

*Thread Reply:* I currently don’t have a device that I could check immediately, but data samples that are over a month old because of the device being locked every now and then?🤔

Sharkey (lukesharkey@gmail.com)
2019-04-12 14:00:09

*Thread Reply:* check in intervals are scheduled by your server, if the scheduled check in happens when locked, then yes it would not give much info. I have people that plug the device in, drop it in a drawer and never pull it out. It checks in, but never gives much info beyond that.

Julio (julio.vita@hotmail.de)
2019-04-12 14:07:23

*Thread Reply:* Okay, thanks for clarifying

Mike L (mlee@partners.org)
2019-04-12 14:43:08

@Mike L has joined the channel

David F (david.fink@gov.bc.ca)
2019-04-15 16:52:14

is there a way to see a more verbose list of changes in iOS 12.2? We can no longer "Remove" an Exchange Mailbox under "Passwords & Accounts"

Konstantinos Leivadaros (amigodeluxe@gmail.com)
2019-04-15 16:56:12

*Thread Reply:* Does this help? https://support.apple.com/en-us/HT209084#122

Apple Support
Stephen (stephen.stansfield@oa.mo.gov)
2019-04-15 17:34:12

*Thread Reply:* Is removal allowed in the profile it is configured with or is it manually configured?

David F (david.fink@gov.bc.ca)
2019-04-15 17:37:36

*Thread Reply:* the only reference I can see to accounts is over in restrictions and I think it refers to modifying the APPLE ID itself

David F (david.fink@gov.bc.ca)
2019-04-15 17:38:21

*Thread Reply:* @Konstantinos Leivadaros this is great info https://support.apple.com/en-ca/HT209599

Apple Support
David F (david.fink@gov.bc.ca)
2019-04-15 17:38:31

*Thread Reply:* but I don't see any changes that would account for what we are seeing

David F (david.fink@gov.bc.ca)
2019-04-15 17:59:59

*Thread Reply:* I found a device on 12.1.4 and its missing "Remove" as well, so maybe not a new issue?

Andrew Olpin (andy@olpin.us)
2019-04-15 19:38:54

*Thread Reply:* I don't know if the "remove" option is available for mailboxes provisioned by MDM / EMM.

Konstantinos Leivadaros (amigodeluxe@gmail.com)
2019-04-15 19:40:23

*Thread Reply:* You are actually adding and removing a profile which configures the email account so the question really is if you have allowed the removal of the profile configuring the email account. You can find this in the “General” tab of the profile

Andrew Olpin (andy@olpin.us)
2019-04-15 19:43:18

*Thread Reply:* ...And usually MDM profile removal requires removing them all, I've not seen iOS to allow a piecemeal removal of profiles.

Konstantinos Leivadaros (amigodeluxe@gmail.com)
2019-04-15 19:43:47

*Thread Reply:* Send a picture of the “General” tab of your email profile

Konstantinos Leivadaros (amigodeluxe@gmail.com)
2019-04-15 19:45:12

*Thread Reply:* Sorry, I am not in front of an AW console so trying to remember by heart

David F (david.fink@gov.bc.ca)
2019-04-15 20:50:54

*Thread Reply:* I don't have a device with an old enough OS to capture, found this in an image search

David F (david.fink@gov.bc.ca)
2019-04-15 20:52:13

*Thread Reply:* @Andrew Olpin we have a separate device profile just for exchange so we can remove just it or update restrictions without impacting a users mailbox

Lukasz (lukasz_wawrzyniak@symantec.com)
2019-04-15 21:02:52

*Thread Reply:* WS1 best practices was always to use separate profiles for each functionality so Exchange profile really is best on its own

Konstantinos Leivadaros (amigodeluxe@gmail.com)
2019-04-15 21:11:53

*Thread Reply:* @Lukasz is right. Never combine payloads unless absolutely necessary (i.e. Wi-Fi & Credentials).

Johannes Harbs (harbs.johannes@gmail.com)
2019-04-16 07:47:35

*Thread Reply:* @David F it is not possible (and never was) to remove an exchange account on the device with the "Delete Account" option, if it was pushed through an MDM. The option is only shown for manually added accounts.

👍 Konstantinos Leivadaros, Andrew Olpin, Steve Blake
Damian (support@expertmobilite.com)
2019-04-15 16:59:58

In case anyone has any idea or has seen this behaviour: https://mobilxperts.slack.com/archives/C7MF5T6KH/p1555343907002600 🤔

} Damian McMahon (https://mobilxperts.slack.com/team/U73U07BFH)
Matthew Shaver (mshaver@us.ibm.com)
2019-04-15 17:32:42

*Thread Reply:* Ran the scenario on a device and couldn’t reproduce - is this happening across iOS versions?

Damian (support@expertmobilite.com)
2019-04-15 17:36:10

*Thread Reply:* Most of our users are on iOS 12. It happened to me and a few of my colleagues. MSFT told me the issue needs to happen live in order to find the root cause

NicolasR (raison_nicolas@me.com)
2019-04-15 17:36:38

*Thread Reply:* Chinese government is watching you 😂

😆 Damian
Damian (support@expertmobilite.com)
2019-04-15 17:36:57

*Thread Reply:* That’s not going to be easy unless they put debug logging on the servers in the cloud and on all the clients which I highly doubt

NicolasR (raison_nicolas@me.com)
2019-04-15 17:37:47

*Thread Reply:* By the way it happened to me with Thai characters with O365+native macOS client

NicolasR (raison_nicolas@me.com)
2019-04-15 17:38:52

*Thread Reply:* Never complained because my company didn’t support officially macOS native client :-D

Damian (support@expertmobilite.com)
2019-04-15 17:44:04

*Thread Reply:* We only use the outlook mobile client - never used the native client.

Stephen (stephen.stansfield@oa.mo.gov)
2019-04-15 22:17:21

Anyone have any luck getting the iOS update with mdm commands to work well? Has anyone heard about any planned improvements? we use AirWatch. They seem to work with major caveats the iOS download command blocks all commands when sent on cellular until the device is connected to Wi-Fi and the install command just prompts for the passcode if you have one.

NicolasR (raison_nicolas@me.com)
2019-04-16 13:04:38

hey @here I remember I had a Apple KB link which explains the way actually iOS DEP devices backup & restore works and this KB explained why backup a devices as non-supervised overcomes the supervision setting on the device if it’s restored after DEP enrollment (on the same device)

NicolasR (raison_nicolas@me.com)
2019-04-16 13:04:50

This KB seams to be removed now 😢

NicolasR (raison_nicolas@me.com)
2019-04-16 13:04:58

anyone have it?

Luc (luc.rames@digitaldimension.fr)
2019-04-16 13:05:10

let me check

NicolasR (raison_nicolas@me.com)
2019-04-16 13:06:18

I think this is the one: https://support.apple.com/en-gb/HT202977

Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-04-16 13:12:59

*Thread Reply:* I remember I searched for something similar a while ago, but did not find anything in this regards. I am pleased to see such an article existed, and disappointed to see it was already removed before I could use it.

Tycho (tycho@schenkeveld.com)
2019-04-16 13:16:40
Tycho (tycho@schenkeveld.com)
2019-04-16 13:17:43

*Thread Reply:* These are not the pages you're looking for.. Move along 🤖

Tycho (tycho@schenkeveld.com)
2019-04-16 13:18:19

*Thread Reply:* Interesting though because I have similar problems and this would be really great to have.. Will check archive.org

NicolasR (raison_nicolas@me.com)
2019-04-16 13:18:27

*Thread Reply:* nop^

NicolasR (raison_nicolas@me.com)
2019-04-16 13:18:32

*Thread Reply:* already checked

NicolasR (raison_nicolas@me.com)
2019-04-16 13:18:37

*Thread Reply:* also Google Cache

NicolasR (raison_nicolas@me.com)
2019-04-16 13:18:54

*Thread Reply:* just completely deleted!

Tycho (tycho@schenkeveld.com)
2019-04-16 13:19:16

*Thread Reply:* Indeed.. Apple must have a robots.txt blocking them

Tycho (tycho@schenkeveld.com)
2019-04-16 13:21:13

*Thread Reply:* Apparently the cache worked at some point in the past: https://www.reddit.com/r/ipad/comments/5gogol/restoring_from_an_icloud_backup_to_a_depenrolled/

reddit
Tycho (tycho@schenkeveld.com)
2019-04-16 13:22:07
aaron (aaron@groundctl.com)
2019-04-16 13:24:23

*Thread Reply:* I was looking for the same last week. Good to know I’m not crazy. Or I’m not the only crazy.

🤣 NicolasR
Konstantinos Leivadaros (amigodeluxe@gmail.com)
2019-04-16 13:44:53

*Thread Reply:* The Wayback machine comes to the rescue: https://web.archive.org/web/20150214031317/http://support.apple.com/en-us/HT202977

web.archive.org
👍 Tycho
🎉 Tycho
Konstantinos Leivadaros (amigodeluxe@gmail.com)
2019-04-16 13:46:23

*Thread Reply:* …but I don’t think this is the one you are looking for @NicolasR

NicolasR (raison_nicolas@me.com)
2019-04-16 13:47:51

*Thread Reply:* It is...!! But was searching in archive.org without success! Thanks man

Konstantinos Leivadaros (amigodeluxe@gmail.com)
2019-04-16 13:48:40

*Thread Reply:* Perhaps this could be useful too: https://mobilepros.org/2019/02/ios-device-management-backup-and-restore-reference-guide/

👍 Adrian Patrascu
aaron (aaron@groundctl.com)
2019-04-16 13:51:16

*Thread Reply:* @Matthew Shaver FTW

😉 Konstantinos Leivadaros
😀 Matthew Shaver
NicolasR (raison_nicolas@me.com)
2019-04-16 14:01:41

*Thread Reply:* 🥳

Tycho (tycho@schenkeveld.com)
2019-04-16 15:22:08

*Thread Reply:* Super, many thanks!

Boris W. (bwl@ibelem.com)
2019-04-17 15:00:53

@Boris W. has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-04-18 11:15:09

Can I restrict users from changing the APN settings on the device? Restrict Modify cellular plan settings on the device maybe?

Matthew Shaver (mshaver@us.ibm.com)
2019-04-18 15:11:42

*Thread Reply:* That only prevents the user from changing the app settings related to cellular data. APN can't be disabled in any restrictions I'm aware of disabling or restricting editing would be handled at the carrier level

aaron (aaron@groundctl.com)
2019-04-18 16:37:04

*Thread Reply:* Perhaps if you set an APN via MDM this will prevent the setting from being changed? I don’t know, am just guessing.

MichaelM21 (mike.miller815@yahoo.com)
2019-04-18 16:50:16

*Thread Reply:* Currently we deploy APN via MobileIron Core, but the values still can be modified by the users. We need to switch to Cellular policy anyway because APN will be deprecated by 🍏.. maybe with Cellular policy that works. I just thought that there has been a restriction to prevent modification of mobile data settings.

Hari (hariranjit92@gmail.com)
2019-04-23 06:00:59

@Hari has joined the channel

JmB (jean-marc.bichaud@econocom.com)
2019-04-23 15:36:36

@JmB has joined the channel

JmB (jean-marc.bichaud@econocom.com)
2019-04-23 15:37:27

hello, I read that APNS flow does not support proxy. Can somebody explain me why ? Thanks you.

Sharkey (lukesharkey@gmail.com)
2019-04-23 15:44:44

*Thread Reply:* I've simply known that APNS (as a protocol) just doesn't support the model. Never seen much on why, that would be up to Apple to discern 🤷‍♂️

Johannes Harbs (harbs.johannes@gmail.com)
2019-04-23 15:46:12

*Thread Reply:* At least with WS1, it does support proxy. But the it needs to be a Socks proxy.

✔️ Boris W.
Sharkey (lukesharkey@gmail.com)
2019-04-23 15:46:53

*Thread Reply:* https://support.apple.com/en-us/HT203609

Apple Support
Matthew Shaver (mshaver@us.ibm.com)
2019-04-23 15:47:51

*Thread Reply:* ^^Thats the only article I think I’ve ever seen directly from Apple on the subject. We opened a ticket once hoping they would shed more light, but we got a pretty canned “this is expected behavior” response and they closed the ticket

👍 Sharkey
Sharkey (lukesharkey@gmail.com)
2019-04-23 15:48:23

*Thread Reply:* haha, that is expected Apple behavior

NicolasR (raison_nicolas@me.com)
2019-04-23 15:48:49

*Thread Reply:* From client side: iOS 12 brought support for APNS through Proxy

From server side: APNSv2 protocol might help as it is now HTTPS

👍 Boris W.
Ladislav Blazek (ladislav@lblazek.cz)
2019-04-23 18:13:57

*Thread Reply:* Apple is transitioning from ”binary” APNs protocol to APNs2 which is HTTPS based. @NicolasR do you know about documentation/KB article mentioning iOS12 support for APNs over proxy support?

Matthew Shaver (mshaver@us.ibm.com)
2019-04-23 18:26:22

*Thread Reply:* ^^I’d be curious to know about that. I don’t recall seeing anything related to it in the Appleseed notes. I’ll check the iOS 12 Security Reference guide

NicolasR (raison_nicolas@me.com)
2019-04-23 19:19:35

*Thread Reply:* can’t find the document but it was something Apple announced via email to partners when iOS 12 was out

Lukasz (lukasz_wawrzyniak@symantec.com)
2019-04-23 23:44:05

*Thread Reply:* Whats the use case here? Mobile devices on WiFi and no Data plans where WiFi is via proxy to internet?

Ladislav Blazek (ladislav@lblazek.cz)
2019-04-24 08:36:03

*Thread Reply:* @Lukasz Wi-Fi only (and usually single purpose) iPads in highly restricted environments like banks/government. It is also common problem with macOS management. For example iPads used for document signing.

👍 Lukasz, NicolasR
Matthew Shaver (mshaver@us.ibm.com)
2019-04-24 14:50:11

*Thread Reply:* We had a case like this for iPads that were being used as a mainframe interface. The network they were connected to day-to-day didn’t allow any traffic related to APNS. The solution ended up being a dedicated terminal where they could be hardwired to a connection for updates (this worked on 2 levels since the device couldn’t be connected to the external internet and the mainframe at the same time since only physical connections to either were allowed). It’ll be interesting to see if this iOS 12 stuff pans out, I still haven’t found any official documentation on it

pihlapuro (juho-pekka.pihlapuro@teliadatainfo.fi)
2019-04-26 08:20:58

@pihlapuro has joined the channel

Wouter Troost (wt@mob.co)
2019-04-26 08:24:48

@Wouter Troost has joined the channel

Sharkey (lukesharkey@gmail.com)
2019-04-26 15:19:30

Anyone know if Apple will support SAML during DEP enrollments someday?

Tycho (tycho@schenkeveld.com)
2019-04-26 16:49:29

*Thread Reply:* Yes the lack of any kind of "Apple ID Corporate" program is a big pain on this platform IMO. Even though we can cover some aspects of it through DEP (like the Activation lock) it's still quite annoying that users have to create their own account with Apple to download stuff from the app store and we can't manage it (of course VPP is an option but it requires going outside the apple ecosystem with a private store if you want to do it on-demand)

David F (david.fink@gov.bc.ca)
2019-04-26 18:35:04

*Thread Reply:* I really hope ABM is a move towards my AD user accounts becoming managed Apple ID's

👍 Sharkey, Tycho
aaron (aaron@groundctl.com)
2019-04-26 15:21:20

Nice try.

😂 Matthew Shaver, Tycho
Sharkey (lukesharkey@gmail.com)
2019-04-26 15:27:30

one can hope lol

Sharkey (lukesharkey@gmail.com)
2019-04-26 15:27:55

I'm always working through it and the DEP gets in my way, oh well

aaron (aaron@groundctl.com)
2019-04-26 15:48:05

:apple_icon: WWDC is the week of June 3, and the Business session is traditionally Thursday morning.

👍 Sharkey
jafullersr (jafuller@starbucks.com)
2019-04-26 22:58:42

School Manager supports AAD via SAML right? So, maybe someday far far away without committing or suggesting or implying that it would be coming to DEP at some point.

aaron (aaron@groundctl.com)
2019-04-27 13:20:46

Interesting article. Many (all?) of these parental control apps were using supervision & MDM to manage child devices. Apple seems to be cracking down on this practice now. Of course the app developers are complaining. But I don’t think they should have been using supervision in the first place. Thoughts? https://www.nytimes.com/2019/04/27/technology/apple-screen-time-trackers.html

The New York Times
} By JACK NICAS
Jack Madden (jackalexandermadden@gmail.com)
2019-04-28 04:44:00

*Thread Reply:* Also relevant: https://www.macrumors.com/2019/04/27/schiller-screen-time-crackdown-mdm/

macrumors.com
Jack Madden (jackalexandermadden@gmail.com)
2019-04-28 04:45:54

*Thread Reply:* Benedict Evans had an interesting take, which was essentially that one person’s parental control app is another persons spying on a spouse / ex app https://twitter.com/benedictevans/status/1122305422864474113

twitter
} Benedict Evans (https://twitter.com/benedictevans/status/1122305422864474113)
twitter
} The New York Times (https://twitter.com/nytimes/status/1122278014199443457)
Tycho (tycho@schenkeveld.com)
2019-04-28 11:38:39

*Thread Reply:* I think Phil Schiller has a good point. And I'd rather see them addressing it by blocking these apps than restricting MDM functionality 🙂

jafullersr (jafuller@starbucks.com)
2019-04-29 18:01:47

*Thread Reply:* I agree @Tycho. This just fuels the privacy fire when it comes to corporate use of MDM though.

Bill (slack@meshak.net)
2019-04-30 19:51:38

@Bill has joined the channel

Jack Madden (jackalexandermadden@gmail.com)
2019-05-02 17:36:33

To continue the whole MDM and parental control saga, check this out: https://medium.com/@ourpactapp/there-used-to-be-an-app-for-that-41344f61fb6f

Medium
Reading time
11 min read
Jack Madden (jackalexandermadden@gmail.com)
2019-05-02 17:41:07

*Thread Reply:* This is a statement from one of the vendors who’s app got pulled. One huge problem is that none of the parties involved are making the distinction between supervised and non-supervised use cases; and what happens via MDM and via their agent.

Jack Madden (jackalexandermadden@gmail.com)
2019-05-02 17:45:47

*Thread Reply:* Let’s just hope that Apple has some surprises in store at WWDC for BYOD and parental controls

Justin Butts (justin.butts777@gmail.com)
2019-05-02 18:49:00

*Thread Reply:* They also confusingly claim multiple times that Apple invented MDM technology

jafullersr (jafuller@starbucks.com)
2019-05-02 18:58:28

*Thread Reply:* The comments made through Apple’s media and Phil himself are blatantly not true unless Apple themselves have found a flaw or flaws that open up access to MDM controlled devices to unknown sources. This is going to continue to muddy the waters of MDM and make it more difficult to get the truth out about this protocol and services that depend on it. I’d like to see the security research that Phil references in his comments.

Jack Madden (jackalexandermadden@gmail.com)
2019-05-02 19:53:06

*Thread Reply:* I think Apple was talking about cases where somebody gets social-engineered into installing malicious profiles or enrolling in MDM controlled by a malicious party.

jafullersr (jafuller@starbucks.com)
2019-05-02 20:51:24

*Thread Reply:* Yes, I’m sure they were. But the broad nature of the statement doesn’t specifically address those “bad actors”. Nonetheless, they should share their security research so that these “good actors” know what to avoid and thus be allowed to maintain their livelihood. This just seems so heavy handed and without warning, that it seems like a security breach announcement would be next.

Julio (julio.vita@hotmail.de)
2019-05-06 08:05:49

When I enroll a device in WS1 not all the VPP apps get assigned to the device, some of them give me the error code “12064 the license for the with itunes store-id xyzcs could not be applied”. Anybody knows a fix for this?

Julio (julio.vita@hotmail.de)
2019-05-06 11:32:44

*Thread Reply:* So I tried several things, the only thing that actually worked, was logging in with an Apple ID while enrolling the device so I could accept the terms and conditions, which possibly led to the installation of the apps. But that doesn’t make sense, because I’m trying to do VPP because I want people to be able to enroll without Apple ID. I’ll open a ticket with WS1, just to see if they can help with the issue, even though this sounds like an Apple issue.

Andrew Olpin (andy@olpin.us)
2019-05-06 14:28:50

*Thread Reply:* Make sure you've configured the app with device based VPP, not user based VPP

Andrew Olpin (andy@olpin.us)
2019-05-06 14:29:18

*Thread Reply:* https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.6/vmware-airwatch-guides-96/GUID-AW96-MD_DvcBsd_Ovrvw.html

docs.vmware.com
Julio (julio.vita@hotmail.de)
2019-05-06 15:55:27

*Thread Reply:* Thx, will check

Matt (adminmdm@driv.com)
2019-05-06 18:24:46

@Matt has joined the channel

Daniele Crippa (daniele.crippa@asystelitalia.it)
2019-05-08 15:24:55

@Daniele Crippa has joined the channel

Justin Butts (justin.butts777@gmail.com)
2019-05-10 18:28:05

Alright, embarrassing show of hands time, who here has let an APNS cert expire in the last year or so? If you have - did you actually notice any issues (not withstanding the time where no valid cert was present) once a new cert was uploaded? 5 years ago I was haunted by the thought of APNS expiring and an environment being forced to re-enroll every single device. However, I've seen multiple APNS certs expire in the past year with no negative impact to the environment once the new cert is loaded. Can anyone corroborate? Apple has not been super explicit about the behavior of this mechanism and I haven't seen any updates since I really started my MDM ~journey~

Jordan Philip (jordan.philip@mobilesolutions.net)
2019-07-11 19:42:23

*Thread Reply:* In case you've ever had a click-happy admin who decides to get a little crazy before you get into the screen-share... even revoking a production APNS cert, then renewing, will not force a re-enroll of all devices. I called Apple right after I noticed he did this, and eventually a tier 3 engineer called me back and said we were basically screwed and would need to re-enroll 1250 devices. Within 24 hours, the cert would be on the revocation list, and that would be that. We're now in hour 28, and no issues. I feel like the more I learn about this, the less I know. It appears that as long as the cert topic is the same, it really doesn't matter.

Justin Butts (justin.butts777@gmail.com)
2019-05-10 18:28:40

apparently "~* *~" causes strikethru. Neato

jafullersr (jafuller@starbucks.com)
2019-05-10 18:40:04

@Justin Butts APNS expiry does prevent enrollment, but does not unenroll the device if the expiry lapses. Upon expiry lapse, the enrollment and commands sent to enrolled devices will no longer function. Essentially, the device stops listening to you. However, once renewed, the devices do begin to listen and take action again.

Justin Butts (justin.butts777@gmail.com)
2019-05-10 18:41:24

@jafullersr That's exactly what I've thought, but since I started, every MDM admin and engineer I talked to would preach how the fallout of an APNS expiration forces an entire re-enroll of your already deployed devices

👍 Julio
Mark Vonk (mark.vonk@dahvo.com)
2019-05-10 18:41:45

Yes, with that said, we have had multiple customers with expired APNs certs. Some of them expired more than 30 days, so renewal was not an option. In that case a new cert with new subject was created and the devices had to be re-enrolled.

👍 Justin Butts, Julio
Justin Butts (justin.butts777@gmail.com)
2019-05-10 18:41:48

Which always struck me as absurd

Mark Vonk (mark.vonk@dahvo.com)
2019-05-10 18:42:09

As mentioned it matters if you can still renew it or not

Justin Butts (justin.butts777@gmail.com)
2019-05-10 18:42:16

@Mark Vonk Yep! As long as your within the window to renew, everything is Gucci

:gucci: Matt Dermody, Julio
jafullersr (jafuller@starbucks.com)
2019-05-10 18:42:17

Our expiry has lasted less than 24 hours.

jafullersr (jafuller@starbucks.com)
2019-05-10 18:42:22

When it has occured.

Justin Butts (justin.butts777@gmail.com)
2019-05-10 18:42:25

Perfect

Jason Bayton (jason@bayton.org)
2019-05-10 18:42:39

I've always been told if it expired it's a re-enrol job, which I thought was insane

jafullersr (jafuller@starbucks.com)
2019-05-10 18:43:36

Also, you must renew the correct APNS certificate. Oddly enough, you’re able to upload ANY APNS certificate to the EMM and there is no validation that it’s a renewal and doesn’t stop you if it’s not the correct signature.

👍 Justin Butts, Julio
Justin Butts (justin.butts777@gmail.com)
2019-05-10 18:43:45

@Jason Bayton Same! I'm relieved to hear that's only the case when it is too far out to renew

Mark Vonk (mark.vonk@dahvo.com)
2019-05-10 18:43:59

When it expires you still have 30 days to renew When you can’t renew it anymore, you need a new cert and then re-enroll

Justin Butts (justin.butts777@gmail.com)
2019-05-10 18:44:27

Perfecto, thanks for clarifying ya'll!

jafullersr (jafuller@starbucks.com)
2019-05-10 18:45:07

If you upload the wrong APNS, you may end up in a re-enroll state. Or you work with a DBA to roll back the renewal.

Mini Kialain (mkialain@manh.com)
2019-05-10 20:17:02

@Mini Kialain has joined the channel

Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-05-14 09:17:29

Hi Guys, we have a very interesting issue I would like to share maybe some of you have seen something similar. When launching Internal apps installed on iOS devices from the the Corporate App Store while on Corporate WiFi we receive an error message: "Unable to Verify App - An Internet connection is required to verify trust". For sure this is a WiFi issue with our corporate setup, but I was wondering where I could find a document on Apple side that has this information. This looks similar to the trust of the Enterprise Profile that was documented here: https://support.apple.com/en-us/HT204460

Apple Support
aaron (aaron@groundctl.com)
2019-05-14 10:23:57

*Thread Reply:* I believe the device needs to be able to reach certificate revocation servers, so iOS can check the validity of the app signing certificate. This needs to be done at first launch, and every few days after. I’m not sure of the address, it could be ocsp.apple.com.

aaron (aaron@groundctl.com)
2019-05-14 10:25:14

*Thread Reply:* The article you linked to mentions https://ppq.apple.com

Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-05-14 12:19:59

*Thread Reply:* Thank you Aaron, yes I see that on the end of it, but I was wondering if there are more details in regards to ports. I know Apple uses 17.0.0.0/8, but other details would be helpful. Maybe this would be a question we would need Apple to answer.

Almar Diehl (almar.diehl@blaud.com)
2019-05-14 11:07:19

Hi, in the iOS native mailapp, whenever a user starts typing a name of user that is not in his contact-list a Global Address Lookup is performed. However, we see a huge delay in the lookup. From the logging we pulled we see that every character that is being entered takes 1-2 seconds. Therefore whenever a user enters 5 characters is takes 5 to 10 seconds for a result to be displayed. This leads to users complaining the the lookup is not working at all (although it is working, just very slow). Does anyone know of a solution for these delays?

iMZ (mark_zimmermann@me.com)
2019-05-14 19:04:10

*Thread Reply:* Try this one : SecureContact X Business https://itunes.apple.com/de/app/securecontact-x-business/id1450074955?mt=8

Secure „offline“ Storage for GAL Contacts. For trial Version please Send me a Message

App Store
Sebastian Randig (sebastian.randig@gmail.com)
2019-05-14 12:42:16

@Sebastian Randig has joined the channel

Julio (julio.vita@hotmail.de)
2019-05-16 13:05:35

Can anyone maybe give me a hint, which setting in AirWatch I have to edit in order to disable the proximity sensor for kiosk devices?

Julio (julio.vita@hotmail.de)
2019-05-16 13:06:05

Unfortunately the case of the device is interfering with the sensor, therefore the brightness changes, turns darker

aaron (aaron@groundctl.com)
2019-05-16 13:19:20

*Thread Reply:* Apple has no interface to disable “auto brightness” over the air. So AirWatch and other MDMs can not control this. However the setting is saved with backup and restore. If you restore a backup as part of your provisioning process, you can disable auto brightness, and set brightness to whatever level you want. You can use a tool like Configurator or #groundcontrol for this.

👍 Sharkey
Sharkey (lukesharkey@gmail.com)
2019-05-16 13:19:56

*Thread Reply:* Great workaround! ^^^^^

Julio (julio.vita@hotmail.de)
2019-05-16 13:25:26

*Thread Reply:* OKay, thanks for the input 🙂

Anton I (antonn94@gmail.com)
2019-05-16 17:38:29

Hi, Has anyone used the Exchange Profile Oauth 2.0 setting in conjunction with Powershell integration such as VMware Powershell Integration or MobileIron Integrated Sentry here, that can give me some input?

Sharkey (lukesharkey@gmail.com)
2019-05-16 17:51:44

*Thread Reply:* Oauth is just authentication, powershell is after the fact to add/remove authorization to sync. So they are independent of each other.

Anton I (antonn94@gmail.com)
2019-05-17 08:41:16

*Thread Reply:* Good! Thank you.

Jorge De La Cruz (jdelacruz@rccl.com)
2019-05-17 15:22:13

@Jorge De La Cruz has joined the channel

Willem Verstegen (willem@verstegen.biz)
2019-05-17 18:48:59

@Willem Verstegen has joined the channel

Andrew Montague (amontague@vmware.com)
2019-05-20 14:43:34

@Andrew Montague has joined the channel

Ronald Reerds (ronald.reerds@blaud.com)
2019-05-20 20:12:25

@Ronald Reerds has joined the channel

Justin Butts (justin.butts777@gmail.com)
2019-05-20 21:25:38

Has anyone seen their environments have their VPP license revoked following the outage yesterday? We've had several clients now with revoked tokens out of nowhere - Apple made no mention of this in the outage. Anyone else out there experiencing this?

mreeves (reevesatl@gmail.com)
2019-05-21 04:11:37

@mreeves has joined the channel

Thomas B. (tbosboom@apple.com)
2019-05-21 17:12:22

@Thomas B. has joined the channel

Silvan Richner (silvan.richner@gmx.ch)
2019-05-21 18:12:32

@Silvan Richner has joined the channel

Joseph C (jc.calabrese9@gmail.com)
2019-05-21 18:44:09

@Joseph C has joined the channel

Juan Olivares Jr. (juan.olivaresjr@nm.org)
2019-05-21 18:55:22

@Juan Olivares Jr. has joined the channel

macbentosh (benbergthold@gmail.com)
2019-05-23 21:21:46

@here what’s with automated enrollment devices getting into a crash loop at the privacy screen

Damian (support@expertmobilite.com)
2019-05-24 08:12:29

If rumours are to be believed, then models such as the iPhone 6 Plus will no longer be supported when iOS 13 lands, any truth to this: https://www.macrumors.com/2019/05/10/ios-13-drops-iphone-6-iphone-5s-iphone-se-rumor/amp/

macrumors.com
aaron (aaron@groundctl.com)
2019-05-24 10:18:38

In my opinion, it’s pointless to worry about rumors now. You will know for certain in a few more days.

Jay (jay@project-xy.com)
2019-05-24 10:22:37

Agreed and this isn't anything new is it. Apple always deprecates support for older devices and an iPhone 6 is from 2014!

❤️ Justin Butts
Justin Butts (justin.butts777@gmail.com)
2019-05-24 15:13:11

I think that these kinds of deprecation will slow down as the appearance of innovation wears out and phones all reach general parity

Bill (slack@meshak.net)
2019-05-24 15:39:12

I've always generally assumed Apple will only support devices for 4-5 years post initial launch. There's a lot hardware change that happens in those years.

Andrew Olpin (andy@olpin.us)
2019-05-24 15:49:59

Only support them 4-5 years? Android has been a struggle to get more than two. 4-5 is amazing!

jafullersr (jafuller@starbucks.com)
2019-05-24 19:30:53

Agree. Complaints on a 4-5 year lifecycle with mobility is kinda funny when most IT departments are on a 3 year lifecycle with laptops.

Mark Vonk (mark.vonk@dahvo.com)
2019-05-24 19:35:43

About the rumour: I am not sure. The 6S and SE have 2Gb of memory, the older ones only 1 Gb. I would not be surprised if the 6S and SE would still get iOS 13. Many customers of mine still have a lot of SE devices in use, because of the form factor and pricing (it was pretty cheap back then). So if true, the more security conscious will have to upgrade (part of) their fleet. Even still and indeed, the 4-5y lifecycle is pretty good. Most customer financially deprecate hardware in 2 years, so it’s time to upgrade anyway 🙂

Andrew Olpin (andy@olpin.us)
2019-05-24 19:56:43

And, to be honest, Apple hasn't dropped a handset from new OS support in a couple of releases. They're overdue. Not to mention, iphone sales are slipping and this may halpe move the needle.

Stephen (stephen.stansfield@oa.mo.gov)
2019-05-24 20:04:56

Apple was selling se's on their site (the clearance side) a few months ago so I do not find it likely they will drop support this time

Tycho (tycho@schenkeveld.com)
2019-05-26 14:14:22

That's a shame but my iPhone 6 was getting too slow anyway (it's only a dualcore).. I moved to a Samsung S8 instead as I could no longer afford Apple's premium

Aris (lambropo@gmail.com)
2019-06-03 21:36:01

@Aris has joined the channel

macbentosh (benbergthold@gmail.com)
2019-06-04 15:51:07

has anyone @here been able to download a beta profile? All i see is xcode

NicolasR (raison_nicolas@me.com)
2019-06-04 15:51:23

There is no beta profile AFAIK

NicolasR (raison_nicolas@me.com)
2019-06-04 15:51:32

because not stable enough yet 😄

Julio (julio.vita@hotmail.de)
2019-06-04 15:51:50

There is one

Julio (julio.vita@hotmail.de)
2019-06-04 15:51:57

A colleague of mine installed it

Mirco Reimer (slack@mircoreimer.de)
2019-06-04 15:52:13

Hmm yesterday right after the keynote I just found a recovery image

macbentosh (benbergthold@gmail.com)
2019-06-04 15:52:22

that’s all i see

Jonathan Henson (jon@1fixpc.com)
2019-06-04 15:52:38

You'll have to find the ipsw if you don't have a developer account.

👍 Julio
macbentosh (benbergthold@gmail.com)
2019-06-04 15:53:18

I have a paid dev account

Julio (julio.vita@hotmail.de)
2019-06-04 15:53:32

My bad, it was an ipsw

Mirco Reimer (slack@mircoreimer.de)
2019-06-04 15:55:08

is what it seems to be for now

macbentosh (benbergthold@gmail.com)
2019-06-04 15:56:35

Odd I can not see that

Jason (jasonh@bridgeway.co.uk)
2019-06-04 16:24:38

Which countries are you both in?

NicolasR (raison_nicolas@me.com)
2019-06-04 16:54:47

I see the same as @macbentosh

NicolasR (raison_nicolas@me.com)
2019-06-04 16:54:51

France

👍 Jason
Jeff Mosher (jmosher@ca.ibm.com)
2019-06-04 17:24:22

@Jeff Mosher has joined the channel

Phil Hackett (phil.hackett83@gmail.com)
2019-06-04 18:04:44

I can’t see the iOS 13 restore images either. They haven’t made them available to Enterprise Developer accounts for some reason 🤔

Mark Vonk (mark.vonk@dahvo.com)
2019-06-04 18:17:15

Weird, I can see them and I have an enterprise developer account also.

Dimi (1547@live.co.uk)
2019-06-04 19:18:59

@Dimi has joined the channel

Ben (ben@cloudyday.nl)
2019-06-04 19:29:48

@Ben has joined the channel

fov (mobilepros@fovspeed.co.uk)
2019-06-04 20:41:11

@fov has joined the channel

Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-06-04 21:39:17

It's a bit strange, there's no OTA profile for iPhone yet. IPSW's are not available for everyone either. I downloaded the IPSW files from a Google Drive (not official way i know).

😯 Thomas B.
Sharkey (lukesharkey@gmail.com)
2019-06-04 21:41:59

Did the agent sign in and agree to the updated terms? Just curious sometimes that’s an issue.

Ben (ben@cloudyday.nl)
2019-06-04 22:04:05

Here also not visible until about an hour ago, check again! 🙂

Tycho (tycho@schenkeveld.com)
2019-06-04 22:19:13

Stupid question but do you still need a paid developer account to get the betas?

Sharkey (lukesharkey@gmail.com)
2019-06-04 22:19:33

Usually is a public beta too

Tycho (tycho@schenkeveld.com)
2019-06-04 22:19:42

Yes but that was announced for July

Tycho (tycho@schenkeveld.com)
2019-06-04 22:19:58

I think we have Appleseed too so I'll check there

Sharkey (lukesharkey@gmail.com)
2019-06-04 22:20:06

Yeah. Then you need a developer account in the meantime

Sharkey (lukesharkey@gmail.com)
2019-06-04 22:20:16

Or Appleseed yeah

Sharkey (lukesharkey@gmail.com)
2019-06-04 22:20:55

Probably rolling out slow as to not kill apple servers

Mirco Reimer (slack@mircoreimer.de)
2019-06-04 22:22:59

our agent just signed today but for me as an admin the download was visible

Sharkey (lukesharkey@gmail.com)
2019-06-04 22:23:31

Must just be a phased rollout of some Kind

ninex (me@willworland.com)
2019-06-04 23:01:42

@ninex has joined the channel

Timothy D (mrtimothyduong+mobilxperts@gmail.com)
2019-06-05 02:44:54

@Timothy D has joined the channel

Paul Conaty (pconaty@cwsi.ie)
2019-06-05 08:53:15

@Paul Conaty has joined the channel

Dan Hughes (danh@avr.co.uk)
2019-06-05 09:41:24

@Dan Hughes has joined the channel

Paul Conaty (pconaty@cwsi.ie)
2019-06-05 10:02:16

hi all. Q for you. Anyone found a way to enable containerised email clients like EMail+ to be able to display personal (iCloud, GMail) calendars alongside work calendar? full data not really required here, just free/busy would do. I'm thinking something similar to the custom config to allow contacts to be visible. thanks in advance

Anton I (antonn94@gmail.com)
2019-06-05 10:11:23

Has anyone used single-app mode together with Per App VPN? Seems to be an issue with apps that need to be tunneled with help of the the Per App VPN-app (such as VMware Tunnel) since iOS is only allowing the kiosk-application to run.

Justin Butts (justin.butts777@gmail.com)
2019-06-05 16:49:22

https://developer.apple.com/videos/play/wwdc2019/303/ FRIDAY 12pm MST - Apple MDM Webinar - hopefully they'll dig deep into what exactly everything we saw earlier will look like

Apple Developer
aaron (aaron@groundctl.com)
2019-06-05 16:52:41

*Thread Reply:* To be clear, this session is coming on Friday. They will have a lot to cover in one hour. Not sure how that will work.

👍 Justin Butts, Jay, Ben
Tycho (tycho@schenkeveld.com)
2019-06-05 16:53:32

*Thread Reply:* Yeah I was just going to say, this is on Friday. They'll probably post the video only after (not livestreamed). It is a lot of course but I think they'll just give an overview and give links to the actual docs where we can deep dive.

aaron (aaron@groundctl.com)
2019-06-05 16:59:42

*Thread Reply:* * user-enrolled MDM (the new BYOD) * data separation * managed Apple IDs * “modern authentication” for DEP enrollment (and elsewhere?) * SSO Extension (?) * New rules regarding MDM use by third parties * iPadOS (of course that’s aimed at businesses) * activation lock for Mac ** iCloud for Enterprise

Justin Butts (justin.butts777@gmail.com)
2019-06-05 17:07:30

*Thread Reply:* Thank you guys! Forgot to mention the actual date -_-

Sharkey (lukesharkey@gmail.com)
2019-06-05 17:12:56

*Thread Reply:* No guarantees when it will be actually ready to use either, based on past experiences

Ben (ben@cloudyday.nl)
2019-06-05 18:06:17

*Thread Reply:* There is also an interesting session today, but no idea if there will be a video after the session. Edit: It's just a meeting. Perhaps something will come out. Waiting for Friday!

aaron (aaron@groundctl.com)
2019-06-05 18:10:13

*Thread Reply:* Here are the sessions I’m looking forward to: • https://developer.apple.com/videos/play/wwdc2019/303/https://developer.apple.com/videos/play/wwdc2019/304/https://developer.apple.com/videos/play/wwdc2019/504/

Apple Developer
Apple Developer
Apple Developer
👍 Russell Mohr
Tycho (tycho@schenkeveld.com)
2019-06-05 18:31:10

*Thread Reply:* Nice!! I didn't realise FIDO2 was coming

Thomas B. (tbosboom@apple.com)
2019-06-07 20:05:42

*Thread Reply:* Livestream just ended, was pretty cool.

aaron (aaron@groundctl.com)
2019-06-07 20:08:36

*Thread Reply:* It’s the era of SSO

NicolasR (raison_nicolas@me.com)
2019-06-05 22:16:05

Following up the discussion on the beta, now I can have access to the IPSW for the beta

Johannes Harbs (harbs.johannes@gmail.com)
2019-06-06 08:37:09

*Thread Reply:* I've access now as well

Nick Thompson (nick.d.thompson@me.com)
2019-06-05 23:31:26

@Nick Thompson has joined the channel

TylerR (tyler.reidie@gov.bc.ca)
2019-06-07 19:45:19

@TylerR has joined the channel

DirkC (dcarey@vmware.com)
2019-06-10 15:31:56

@DirkC has joined the channel

Ivan (gus_ivan@yahoo.com)
2019-06-10 15:37:45

@Ivan has joined the channel

Michael Goad (michaelpat87@gmail.com)
2019-06-10 15:44:41

@Michael Goad has joined the channel

Prip (prithviprasadk@hotmail.com)
2019-06-12 09:04:15

@Prip has joined the channel

Pierre Michaud (thunderbirt@gmail.com)
2019-06-13 00:21:53

@Pierre Michaud has joined the channel

Chris (chris.christou@outlook.com)
2019-06-13 11:01:51

@Chris has joined the channel

Adam Stephenson (adam.stephenson@gmail.com)
2019-06-13 18:01:28

@Adam Stephenson has joined the channel

Andrew (aj4x@icloud.com)
2019-06-14 05:02:23

@Andrew has joined the channel

Brian Smith (brian@hexnode.com)
2019-06-14 08:42:59

@Brian Smith has joined the channel

Ramprasadh R (rragup@ext.uber.com)
2019-06-14 21:20:15

@Ramprasadh R has joined the channel

Srikanth (srikanth.g.zoho@gmail.com)
2019-06-15 08:16:55

@Srikanth has joined the channel

Anthony Ridley (anthony.ridley@gmail.com)
2019-06-15 13:38:29

@Anthony Ridley has joined the channel

Scott Arndt (scott.arndt1982@gmail.com)
2019-06-18 12:52:49

@Scott Arndt has joined the channel

Phil Burk (philburk@mac.com)
2019-06-21 13:16:41

@Phil Burk has joined the channel

Phil Burk (philburk@mac.com)
2019-06-21 17:48:44

I am going to do a Google search on this to track down some more "official" statements to present to a customer, but I was asked in a meeting yesterday if I could give some details on why it's a bad idea to let users jailbreak their devices. Of course, I have right off the top of my head about 50 reasons (lol) but I do need to back up these ideas with further details.

Stephen (stephen.stansfield@oa.mo.gov)
2019-06-21 17:53:33

*Thread Reply:* I cannot believe that would actually be brought up, maybe the fact they can copy all the data on the device as can anyone taking advantage of the security hole that a jailbreak is. Basically assume anything safe to have on a jailbroken device can be posted on the internet including live microphone camera and location feeds. If they are okay with that then it may be acceptable. If you want official statements I would check the IOS security guide from Apple

😆 Tycho
Andrew Olpin (andy@olpin.us)
2019-06-21 20:54:58

*Thread Reply:* With mobile operating systems, much of the security is based on the operating system controls. It keeps the credentials for authentication, wifi login information, passwords, etc. If the device gets jailbroken, it's light years easier to get access to that.

additionally, these devices have lots of sensors and go with us everywhere. If your CEO is driving to the HQ of a competitor planning a buyout, that may be information that could come under the jurisdiction of the SEC.

DirkC (dcarey@vmware.com)
2019-06-21 22:38:00

*Thread Reply:* There is also no guarantee that any MDM controls you apply would be enforced.

DirkC (dcarey@vmware.com)
2019-06-21 22:38:41

*Thread Reply:* The jailbreak may expose the encryption key in plain text as well.

Michael Goad (michaelpat87@gmail.com)
2019-06-22 23:14:30

*Thread Reply:* I agree with @DirkC on these points, I would also asked what their posture is for iOS updates as a whole. I have found the jailbreaks are becoming harder and harder with newer releases of iOS. I find most organizations require or at least recommend users be on a certain iOS update to ensure patches to vulnerabilities and bugs. Most jailbreaks are a few versions behind that which means they are already exposing themselves to security vulnerabilities. Just my two cents 🙂

Phil Burk (philburk@mac.com)
2019-06-24 13:10:43

*Thread Reply:* Excellent, thank you

Dimi (1547@live.co.uk)
2019-06-24 14:49:33

*Thread Reply:* It is so sad you even have to do this. Device is compromised end of story.

👍 Justin Butts
Dimi (1547@live.co.uk)
2019-06-24 14:53:13

*Thread Reply:* if something like KeyRaider exist today that’s the only argument you need to have in your arsenal

Phil Burk (philburk@mac.com)
2019-06-21 17:48:59

Any input appreciated to help me narrow down the focus of this search.

SS (sethuselvaeee@gmail.com)
2019-06-25 03:06:02

@SS has joined the channel

Jordan Miller (jordanm@us.ibm.com)
2019-06-25 14:18:43

@Jordan Miller has joined the channel

Cherish Dickey (dickey_cherish@bah.com)
2019-06-25 18:52:58

@Cherish Dickey has joined the channel

Megan ODonnell (omegan@us.ibm.com)
2019-06-25 19:51:47

@Megan ODonnell has joined the channel

Henry Tai (henrytai@me.com)
2019-06-26 22:30:26

@Henry Tai has joined the channel

AU-Consultant (sambenenge@gmail.com)
2019-06-27 04:37:32

@AU-Consultant has joined the channel

Kiran Patel (kiran@kiranpatel.net)
2019-06-27 11:35:16

Anyone have issues with Apple Watches not showing managed profile contact names, just numbers when iOS restrictions are in place?

Julio (julio.vita@hotmail.de)
2019-06-27 11:38:59

*Thread Reply:* If the Watch is not managed it shouldn’t show the contact names, AFAIK. If you want that to show, you could try to enable “Allow managed apps to write contacts to unmanaged contacts accounts”. Even though I wouldn’t, if the Watch is not under management.

Russell Mohr (rmohr@mobileiron.com)
2019-06-27 12:50:53

*Thread Reply:* @Julio good suggestion. However, watches can’t me Managed (or unmanaged) because Apple hasn’t provided that framework

Kiran Patel (kiran@kiranpatel.net)
2019-07-22 13:36:57

*Thread Reply:* What’s odd here is that it usually works but randomly will stop working

Pratheeshkl (pratheeshkl@gmail.com)
2019-06-27 12:07:44

@Pratheeshkl has joined the channel

AbhishekPd (abhiprasad04@gmail.com)
2019-06-28 09:15:22

Hi.. Is there a way to view encrypted mails in ios devices?

Jay (jay@project-xy.com)
2019-06-28 09:28:37

*Thread Reply:* Depends on what you are looking to do. iOS does support SMIME https://support.apple.com/en-in/HT202345

Apple Support
👍 Thomas B.
AbhishekPd (abhiprasad04@gmail.com)
2019-06-28 12:24:13

*Thread Reply:* Thats useful. Thank you Jay.

Leon (leonashtonleatherland16@gmail.com)
2019-07-01 12:18:23

@Leon has joined the channel

aumac (rbarnes@internode.on.net)
2019-07-01 23:28:02

@aumac has joined the channel

Amina Kabeer (amina@mitsogo.com)
2019-07-04 06:31:22

@Amina Kabeer has joined the channel

Nick Knight (arpknight@gmail.com)
2019-07-05 02:03:31

I swear I could take a backup with configurator of an unsupervised device, reset it and then restore the backup and enroll so it was supervised. Now I can't seem to anymore. We use WS1 and Business Manager DEP A. If I do the restore before enrollment, it simply goes full consumer and skips enrollment entirely B. If I try restoring after enrollment, configurator complains the device is already prepared.

Am I missing something here or has something changed recently?

EDIT: OK. this occurs only if you keep the same device. If you change the device it will complete enrollment with the restored data (method A)

Is there anyway to accomplish this on a single device?

EDIT: Found a way. Restore to a second device, change the name in configurator and then backup and restore back to the original device. Hooray!

👍 Adrian Patrascu
Matthew Shaver (mshaver@us.ibm.com)
2019-07-05 13:52:02

*Thread Reply:* I created this iOS backup/restore guide based on iOS 12 (I'll update it if anything changes with 13): https://mobilepros.org/2019/02/ios-device-management-backup-and-restore-reference-guide/

👍 Nick Knight
Neesh Lamba (neesh.lamba@prosearch.us)
2019-07-09 00:17:46

@Neesh Lamba has joined the channel

Will Davis (wmdavis@us.ibm.com)
2019-07-09 16:02:27

@Will Davis has joined the channel

Cesare Coscia (czc5049@gmail.com)
2019-07-09 17:08:18

@Cesare Coscia has joined the channel

Margaret Radford (mrad300816@gmail.com)
2019-07-10 02:39:50

@Margaret Radford has joined the channel

Marvin Martin (marvin@compassfoundation.io)
2019-07-11 13:43:32

@Marvin Martin has joined the channel

Julio (julio.vita@hotmail.de)
2019-07-11 14:25:23

When I set the 90 days delay for iOS updates in a Workspace One profile, can I still force the device to do the update before at some point or do I have to wait until they’re over?

Stephen (stephen.stansfield@oa.mo.gov)
2019-07-11 15:09:11

remove the profile and the delay goes away

Julio (julio.vita@hotmail.de)
2019-07-11 15:12:33

*Thread Reply:* The use case I have is, it’s a bunch of kiosk devices and I want to update them building by building, so I was thinking of applying it to all and then start with a small group of devices, by just triggering the update anyway. Which would keep the rest that was not triggered in the delayed mode. Probably it might make sense to create a profile just for that purpose and excluding the ones I want to update on the planned day right?

Stephen (stephen.stansfield@oa.mo.gov)
2019-07-11 15:24:34

*Thread Reply:* You cannot update by profile you can by compliance policy be sure to pull the devices out of single app mode before sending the update if you were doing that, excluding the ones you want to update should work, I have never tried to push an update through a block so you may test if you need to it would probably be wise to remove the block regardless

aaron (aaron@groundctl.com)
2019-07-11 15:36:04

Yes, you can push the iOS update even if the 90-day delay is still in effect. The delay affects only user-initiated updates.

Julio (julio.vita@hotmail.de)
2019-07-11 15:38:56

*Thread Reply:* Thanks for the feedback. Have you tested that scenario already?

aaron (aaron@groundctl.com)
2019-07-11 20:09:49

*Thread Reply:* Not via MDM, but via Configurator.

Thomas B. (tbosboom@apple.com)
2019-07-17 21:11:24

*Thread Reply:* Also only applies to OTA updates, so iTunes or Configurator installed updates should circumvent

Jason (sparklemotion@gmail.com)
2019-07-12 21:16:59

@Jason has joined the channel

Timothy Byler (timothy@compassfoundation.io)
2019-07-14 07:09:18

@Timothy Byler has joined the channel

Zachary Shanholtz (zacshanholtz@ibm.com)
2019-07-15 14:55:12

@Zachary Shanholtz has joined the channel

Mark Polette (polette.m@pg.com)
2019-07-15 18:25:39

@Mark Polette has joined the channel

Daniil Michine (daniil.michine@mobile-mentor.com)
2019-07-16 15:52:35

@Daniil Michine has joined the channel

Dana Baker (manager.tablet@us.issworld.com)
2019-07-16 17:27:17

@Dana Baker has joined the channel

Yth (enis_1990_@hotmail.com)
2019-07-16 17:49:17

@Yth has joined the channel

Chad Welch (cwelch@mobileiron.com)
2019-07-18 15:43:04

@Chad Welch has joined the channel

Jean-Charles Godard (jean-charles.godard_ext@euromaster.com)
2019-07-19 11:16:10

@Jean-Charles Godard has joined the channel

Dwight Harper (dwight_harper@us.ibm.com)
2019-07-19 14:24:45

@Dwight Harper has joined the channel

Ladislav Blazek (ladislav@lblazek.cz)
2019-07-23 15:07:35

*Thread Reply:* @Andrew Montague Check you Single Sign-On profile that it contains bunde ids of Google apps.

Andrew Montague (amontague@vmware.com)
2019-07-23 15:28:01

*Thread Reply:* Thanks, it does have them. Good call though.

Jack Madden (jackalexandermadden@gmail.com)
2019-07-24 00:52:28

Interesting: https://www.macrumors.com/2019/07/23/iphone-to-iphone-data-migration/

macrumors.com
👍 Adrian Patrascu
aaron (aaron@groundctl.com)
2019-07-24 02:54:36

Oh no, #groundcontrol is dead!

Matthew Shaver (mshaver@us.ibm.com)
2019-07-24 03:10:57

At least I don't have to smash the devices together to get NFC or something going

Ajay Patel (ajay5675@msn.com)
2019-07-24 14:20:38

@Ajay Patel has joined the channel

Anthony Tedesco (atedesco@groundctl.com)
2019-07-24 19:29:49

@Anthony Tedesco has joined the channel

MrTechGadget (audioeng@gmail.com)
2019-07-24 20:52:57

@MrTechGadget has joined the channel

Ryan Kane (ryan@kentuckykanes.com)
2019-07-25 15:41:39

@Ryan Kane has joined the channel

Ryan Kane (ryan@kentuckykanes.com)
2019-07-25 15:46:58

I'm working on a Clinical Communications RFP for a "Voice, Text, Alarm" App deployed to iPhone 8 in a Cisco Wi-Fi environment. One of the vendors made a recommendation I've not considered on modern iOS hardware. They suggest always purchasing the GSM variant of an iPhone over the CDMA. I assume this is legacy advice based on buy-back residuals in the iPhone 5 era, but it made me consider if the radio chipset and device baseband programming could be better aligned for a Wi-Fi VoiP deployment with GSM hardware vs CDMA in a no-SIM deployment. That shouldn't make any difference, right?

Justin Butts (justin.butts777@gmail.com)
2019-07-25 16:02:51

*Thread Reply:* I don't see how cellular radios would impact a WiFi only deployment.

aaron (aaron@groundctl.com)
2019-07-26 01:35:40

*Thread Reply:* We do a LOT of work with clinical communications iPhones, and I’ve never heard about this one. With no SIMs, the cellular portion is irrelevant. So I agree with your skepticism.

Justin Butts (justin.butts777@gmail.com)
2019-07-25 16:04:08

Anyone out there managing Dual Sim iPhones yet where one line is corporate and one is personal? How do you treat that device from a management point of view? If the hardware and corporate plan are provided, and a user adds their personal plan, I would assume it's still treated as a corporate controlled device, albeit one you can make personal calls from. Any thoughts around this?

Andrew Olpin (andy@olpin.us)
2019-07-25 16:20:56

*Thread Reply:* Dual SIM is interesting for having multiple phone numbers, but it doesn't really have anything to do with managing the device. There's still only one operating system, and any personal vs. corporate apps are still managed by the MDM configuration on the device.

Justin Butts (justin.butts777@gmail.com)
2019-07-25 16:30:39

*Thread Reply:* kind of. if it's a corporate device and users are allowed to add their personal phone numbers, it's essentially a COPE device, which absolutely impacts the management, depending on how you interpret this.

Justin Butts (justin.butts777@gmail.com)
2019-07-25 16:32:22

*Thread Reply:* COPE devices, per NIST guidelines, should be treated as a fully fledged personal device in regards to app management. That means no blacklisting.

Justin Butts (justin.butts777@gmail.com)
2019-07-25 16:32:55

*Thread Reply:* There's also issues with cross pollination of contacts, right?

Andrew Olpin (andy@olpin.us)
2019-07-25 16:36:31

*Thread Reply:* There's always issue with cross pollination of contact if you allow personal apps and contacts, but that's mostly a question of how you handle the device. For most companies, whether personal or corporate owned, the user is allowed to install whatever applications they want, so the added SIM doesn't alter much. You have to figure out your containerization plan and what your requirements are for locking down the device.

👍 Justin Butts
Justin Butts (justin.butts777@gmail.com)
2019-07-25 16:57:51

*Thread Reply:* virtually every one of my clients for the past 5 years has blacklisted some kind of app or another

Justin Butts (justin.butts777@gmail.com)
2019-07-25 16:58:05

*Thread Reply:* so it gets very murky

Justin Butts (justin.butts777@gmail.com)
2019-07-25 16:58:42

*Thread Reply:* From my POV, I don't care if a user adds their personal phone to a corporate device, they're still not going to get to download Netflix, dating apps, etc.

Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-07-25 17:44:30

*Thread Reply:* Hi Justin, that sounds like an interesting case, but I totally agree with your last point. The fact that they add a personal SIM to a corporate device does not make it a personal phone. They can use SMS, and phone calls from their personal SIM, but app blacklist and policies should remain as per a corporate device.

👍 Justin Butts, Torben Volkmann
Torben Volkmann (torben.volkmann@bluecue.de)
2019-09-11 07:45:03

*Thread Reply:* That‘s the way we implemented it in our company. But to be honest: our blacklist is short (Outlook mobile & Whatsapp)

👍 Adrian Patrascu
Pierre_B (pierre.bilong@econocom.com)
2019-07-26 15:29:39

@Pierre_B has joined the channel

Natalia (nak2224@gmail.com)
2019-07-26 19:12:27

@Natalia has joined the channel

Ryan Kane (ryan@kentuckykanes.com)
2019-07-29 15:05:19

Can anyone share the Apple Bundle Identifier for iOS 13's "Find My" app? I need it to update some whitelist/blacklist settings on managed devices.

Matthew Shaver (mshaver@us.ibm.com)
2019-07-29 15:09:18

com.apple.mobileme.fmip1 I believe

Matthew Shaver (mshaver@us.ibm.com)
2019-07-29 15:10:02

https://www.reddit.com/r/iOSthemes/comments/2n8bj5/list_for_a_bunch_of_bundle_ids_i_found/cmbdgyg/

reddit
aaron (aaron@groundctl.com)
2019-07-29 16:42:24

@Ryan Kane in iOS 13 the app ID is com.apple.findmy. I checked my iPhone console logs for this. It’s a new ID for iOS 13.

Matthew Shaver (mshaver@us.ibm.com)
2019-07-29 16:50:26

Whyyyyyyyyyyyyyyyyyyyyy

Matthew Shaver (mshaver@us.ibm.com)
2019-07-29 16:50:38

@aaron are you aware of any other app IDs changing?

aaron (aaron@groundctl.com)
2019-07-29 16:51:40

I wasn’t aware of this one changing either, until I checked. I’ll do a full comparison now. Ugh.

Matthew Shaver (mshaver@us.ibm.com)
2019-07-29 16:53:03

I think I have a device enrolled in it so I’ll check as well. Now I have to look at not just 13 but iOS vs. iPad OS. We can coordinate as this may make a good blog topic if there is a bunch of differences

aaron (aaron@groundctl.com)
2019-07-29 17:19:27

@Matthew Shaver Shortcuts: com.apple.shortcuts

Kevin Minatta (kminatta@gmail.com)
2019-08-05 21:51:56

@Kevin Minatta has joined the channel

Markus Speicher (mspeicher@mobileiron.com)
2019-08-06 12:48:09

@Markus Speicher has joined the channel

Antonio (antoniourbinajr@gmail.com)
2019-08-08 16:11:51

@Antonio has joined the channel

Udoy (udoy@chatterji.net)
2019-08-09 14:37:16

@Udoy has joined the channel

Udoy (udoy@chatterji.net)
2019-08-09 14:38:43

Does anyone of you have knowledge if you need a special Blackberry Dynamics SDK for the upcoming iPadOS (Fork of ios) that comes this Fall?

Ajay Patel (ajay5675@msn.com)
2019-08-09 15:58:51

*Thread Reply:* your best bet is to read the below support article. I've been told this includes iPadOS also.

https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000057712

Udoy (udoy@chatterji.net)
2019-08-12 17:47:27

*Thread Reply:* Nice Thanks. BB will not develop an own ipados Version for the BD SDK for now it seemed. lets see.

Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-08-12 12:13:56

Hi, I just found this great article and thought to share with you all: https://support.apple.com/en-us/HT210346. It is strongly encouraged to update all the iOS devices to this latest 12.4 version available.

Apple Support
👍 Sharkey, Thomas B.
Sunith Mandalia (sunith.mandalia@gmail.com)
2019-08-13 09:42:31

@Sunith Mandalia has joined the channel

Ray Domingue (raydomingue@gmail.com)
2019-08-13 15:51:22

@Ray Domingue has joined the channel

Marc Lipscombe (marc.lipscombe@gov.scot)
2019-08-15 09:52:06

@Marc Lipscombe has joined the channel

Steven Benton (steven.benton@ibm.com)
2019-08-15 15:12:52

@Steven Benton has joined the channel

Torben Volkmann (torben.volkmann@bluecue.de)
2019-08-20 17:17:19

@Torben Volkmann has joined the channel

Jack Madden (jackalexandermadden@gmail.com)
2019-08-21 00:39:25

Has anybody seen any jailbroken iOS 12.4 devices pop up in their environment? With all the news out there, I figure more people might be trying it than in the last few years.

Matthew Shaver (mshaver@us.ibm.com)
2019-08-21 02:38:10

*Thread Reply:* I've been keeping an eye out on the numbers since the exploit is back in the wild but we really don't see any except for a few folks that do it on purpose to make homebrew apps work.

Thomas B. (tbosboom@apple.com)
2019-08-21 12:05:40

*Thread Reply:* Basic hardening should prevent jailbreaks, e.g. block users from installing enterprise apps, block users from installing config profiles….

Thomas B. (tbosboom@apple.com)
2019-08-21 12:06:05

*Thread Reply:* Possibly block USB-host connections for extra hurdle

Tycho (tycho@schenkeveld.com)
2019-08-21 13:09:47

*Thread Reply:* We block them immediately if they try... Agree with @Thomas B. but of course with BYOD there's limited option to do this.

Kiran Patel (kiran@kiranpatel.net)
2019-08-21 17:04:15

*Thread Reply:* @Tycho what are you relying on it to detect the jailbreak?

Tycho (tycho@schenkeveld.com)
2019-08-21 18:19:25

*Thread Reply:* WS1 built in detection. Not sure how good it is though

🤔 David F
Christoffer ST (christoffer.s.taudien@econnectivity.se)
2019-08-22 10:37:49

@Christoffer ST has joined the channel

Mr.Anderson (chris.anderson1@hcahealthcare.com)
2019-08-26 19:54:02

@Mr.Anderson has joined the channel

AndersH (anders.hermansson@evry.com)
2019-08-27 09:43:06

@AndersH has joined the channel

Daniel Vodrážka (dvodrazka@system4u.com)
2019-08-27 10:59:57

@Daniel Vodrážka has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-08-27 16:48:55

Has anyone further information about the container feature in iOS 13? Is this already in the beta? Have not read anything further about that. As far as I understood this separation can be achieved with the new user enrollment, right?

NicolasR (raison_nicolas@me.com)
2019-08-27 16:56:19

*Thread Reply:* user enrollment is already here but requires EMM to enable it

MichaelM21 (mike.miller815@yahoo.com)
2019-08-27 17:00:18

*Thread Reply:* Gotcha. thanks @NicolasR - have you tried it?

When will MI Core target these new features? If this container feature is only relevant for user enrollment, I am asking myself if we want to enroll our company owned devices with user enrollment only because of that feature. Wipe devices is history then as far as I know.

AndersH (anders.hermansson@evry.com)
2019-08-28 08:06:21

*Thread Reply:* MobileIron do not support it yet. Not sure about workspace one?

NicolasR (raison_nicolas@me.com)
2019-08-28 09:11:45

*Thread Reply:* MobileIron is working on it and large customers already asked this for support in CORE/CLOUD. I guess it will come around CORE 10.5 or 10.6 (Q3/Q4 2019) *put the appropriate disclaimer here* 😉

😂 MichaelM21, Torben Volkmann
🙏 MichaelM21
Kiran Patel (kiran@kiranpatel.net)
2019-08-28 12:36:01

*Thread Reply:* I read somewhere Intune was going to have support very soon. Anyone know if it’s out?

Preetham Guram (spurtipreetham.g@gmail.com)
2019-08-29 19:54:27

*Thread Reply:* SOTI’s mobicontrol will have support for user enrollment in the next release.

Andrew Montague (amontague@vmware.com)
2019-09-03 12:43:26

*Thread Reply:* Workspace ONE Getting Ready for Apple Fall 2019 Releases

https://support.workspaceone.com/articles/360024561354

There's a nice little section in here on what can and can't be done with User Enrollment and a video showing the enrollment process.

👍 MichaelM21, Torben Volkmann
MichaelM21 (mike.miller815@yahoo.com)
2019-09-03 18:10:26

*Thread Reply:* Very useful link - I wish MobileIron would have similar content with these kind of info and videos!

Anton I (antonn94@gmail.com)
2019-08-28 14:25:03

If I include a "Payload Certificate" (user certificate) in an iOS Exchange profile with Oauth enabled, what will happen then? The customer uses ADFS with certificate authentication enabled. Will this remove the need to choose certificate etc?

Anton I (antonn94@gmail.com)
2019-08-28 15:20:31

*Thread Reply:* Tested. "Will this remove the need to choose certificate etc?" = NO 🙂

Stephen (stephen.stansfield@oa.mo.gov)
2019-08-28 15:23:30

*Thread Reply:* You have to chose the cert in the exchange profile as well

Stephen (stephen.stansfield@oa.mo.gov)
2019-08-28 15:24:23

*Thread Reply:* Also are you using a system that needs both a cert and Oauth since if you are doing cert based you do not use Oauth

Ladislav Blazek (ladislav@lblazek.cz)
2019-08-29 14:34:38

*Thread Reply:* No as Modern authentication is handled in Safari. It will work automatically only with CBA against Azure AD.

👍 Anton I, Woody
Al (al.mackay@astrazeneca.com)
2019-09-04 10:35:41

Has anyone had any experience in setting up company wide shortcuts for people to be able to leverage? What I’d like to do is have a catalogue of validated Apple shortcuts (Workflow as was) that people can add to their devices that we’ve created centrally (and therefore tested etc) Whilst I know I could share individually, concept of the catalogue would enable me to (hopefully) keep these updated as and when needed. Know iOS 12/13 introduced concept of untrusted shortcuts, also hoping that it’s possible to force the trust of these if deployed via EMM? Appreciate any thoughts if even possible??

Thomas B. (tbosboom@apple.com)
2019-09-06 06:27:34

*Thread Reply:* I like the idea!

Al (al.mackay@astrazeneca.com)
2019-09-06 22:05:50

*Thread Reply:* 👍 Just need to work out if possible 😁, research time....

Andrew Montague (amontague@vmware.com)
2019-09-17 11:51:16

*Thread Reply:* Which EMM? If you are using Workspace ONE Access then shortcuts can be configured in the catalog.

Andrew Montague (amontague@vmware.com)
2019-09-17 11:51:52

*Thread Reply:*

Al (al.mackay@astrazeneca.com)
2019-09-18 10:36:57

*Thread Reply:* Hi @Andrew Montague Interesting. This looks like more of a webclip sort of approach though, so wouldn’t necessarily be a catalogue of shortcuts (workflows)? Not sure it would also get through versioning limitations as well so if e.g I changed a workflow to include another variable (as an example) user would still have their existing configured workflow in the app. We are also WSO customers though so if I’m missing something here this would be good

Ondrej Zerzanek (ozerzanek@system4u.com)
2019-09-04 14:10:03

@Ondrej Zerzanek has joined the channel

David Peřina (dperina@system4u.com)
2019-09-06 07:45:22

@David Peřina has joined the channel

Armin Beiner (Armin.Beiner@swisscom.com)
2019-09-10 08:00:43

@Armin Beiner has joined the channel

David F (david.fink@gov.bc.ca)
2019-09-10 17:43:37

is there another way to see iOS changes specific to MDM? I've been following the developer.apple.com posts but its beyond what we need.

Cherish Dickey (dickey_cherish@bah.com)
2019-09-10 17:48:40

*Thread Reply:* Apple has a program called AppleSeed for IT which provides enterprise related features, beta profiles for download and also includes test plans that can be used to verify new features

Cherish Dickey (dickey_cherish@bah.com)
2019-09-10 17:49:12
David F (david.fink@gov.bc.ca)
2019-09-10 17:49:33

*Thread Reply:* We have been using AppleSeed since it got added to ABM

David F (david.fink@gov.bc.ca)
2019-09-10 17:50:00

*Thread Reply:* I was looking more for callouts to new MDM functionality

David F (david.fink@gov.bc.ca)
2019-09-10 17:51:04

*Thread Reply:* VMWare has basically told us that we have to export our device profiles before and after they seed new models and figure it out on our own what's changed

aaron (aaron@groundctl.com)
2019-09-10 18:04:17
David F (david.fink@gov.bc.ca)
2019-09-10 18:13:07

*Thread Reply:* right, I saw this a while back, fantastic resource by the way

👍:skin_tone_3: aaron
David F (david.fink@gov.bc.ca)
2019-09-10 18:15:54

*Thread Reply:* like, I think I care share this here, the Today View kind of caught us off guard. The PI exposure initially was a bit scary and it was not immediately discernible how we could control it.

aaron (aaron@groundctl.com)
2019-09-10 18:20:27

*Thread Reply:* The Today View can be disabled on the lock screen. That’s been available in MDM for a few years.

David F (david.fink@gov.bc.ca)
2019-09-10 18:21:18

*Thread Reply:* no I know, we were hoping for some granular redaction and ultimately never found it

aaron (aaron@groundctl.com)
2019-09-10 18:21:38

*Thread Reply:* Got it

David F (david.fink@gov.bc.ca)
2019-09-10 18:22:15

*Thread Reply:* In Canada, touching a cellphone in car is an immediate ticket, so we haev to balance the PI exposure and usability

Ben (ben@cloudyday.nl)
2019-09-11 11:38:38

*Thread Reply:* @aaron Do you know if it will be possible to use the managed AppleID in combination with Automated Device Enrollment?

aaron (aaron@groundctl.com)
2019-09-11 12:12:21

*Thread Reply:* So you mean enroll as AD user but use managed Apple ID for iCloud, etc? I am not sure. It isn’t obvious that anything other than “user enrollments” devices allow two Apple IDs. No partition, so no data separation.

aaron (aaron@groundctl.com)
2019-09-11 12:38:57

*Thread Reply:* The more I think about it, the more I think only UE devices will allow 2 Apple IDs. I can’t see Apple adding a user interface for a “company Apple ID” within the OS.

Now if you want to use a managed Apple ID as the one and only Apple ID on a DEP device, that’s probably fine.

User Enrollment isn’t coming until Sept 30 BTW. And it will need to be supported by MDM.

aaron (aaron@groundctl.com)
2019-09-10 19:44:30

iOS 13 available Thursday, September 19.

Jeoffrey Burri (generi@generi.ch)
2019-09-10 19:48:14

How do you know that, it was not mentioned at the keynote, was it?

Matthew Shaver (mshaver@us.ibm.com)
2019-09-10 19:48:22

Their website has it

Matthew Shaver (mshaver@us.ibm.com)
2019-09-10 19:48:31

https://www.apple.com/ios/ios-13/

Apple
Matthew Shaver (mshaver@us.ibm.com)
2019-09-10 19:49:18

Anyone recall how early they typically drop the GM seed?

Matthew Shaver (mshaver@us.ibm.com)
2019-09-10 19:50:34

Looks like iOS 12 GM seed was 5 days before, so we have a few days I guess

aaron (aaron@groundctl.com)
2019-09-10 19:52:44

“iOS 13 will be available on September 19 as a free software update for iPhone 6s and later. Additional software features will be available on September 30 with iOS 13.1.”

👍 Sharkey
Matthew Shaver (mshaver@us.ibm.com)
2019-09-10 19:54:16

Are they software features or Security features though 🤣

aaron (aaron@groundctl.com)
2019-09-10 19:55:34

I believe User Enrollment is in 13.1, not 13.0.

Jeoffrey Burri (generi@generi.ch)
2019-09-10 19:55:44

Sept. 30 is when the new iPad comes out. Wondering if the split into iPad OS is going to happen with 13.1...

DirkC (dcarey@vmware.com)
2019-09-10 19:56:00

https://www.apple.com/ios/ios-13/features/ has user enrollment with a ** which notates Sept 30th

Apple
aaron (aaron@groundctl.com)
2019-09-10 19:57:48

Lots of * and ***

Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-09-10 19:58:17

My guess is that 13.1 also releases that day

Hitesh Ambulkar (hambu001@fiu.edu)
2019-09-10 19:59:09

Summing up the #AppleEvent

Same Apple watch but display is always on

Same iPad with chipset 3 generations old

Same iPhones as last year but camera is slightly better.

Small content lacking services starting at $4,99/month.

👍 Andrew Montague
Matthew Shaver (mshaver@us.ibm.com)
2019-09-10 20:01:08

*Thread Reply:* No Jony Ive lulling us gently to sleep

😅 Hitesh Ambulkar
🤣 Ray Domingue
Sharkey (lukesharkey@gmail.com)
2019-09-10 20:31:32

*Thread Reply:* This sums up every Apple event basically 😉

Hitesh Ambulkar (hambu001@fiu.edu)
2019-09-10 20:32:01

*Thread Reply:* I was expecting a tracker too

Matthew Shaver (mshaver@us.ibm.com)
2019-09-10 20:36:06

*Thread Reply:* I'm disappointed that Apple Arcade isn't an actual arcade machine

Hitesh Ambulkar (hambu001@fiu.edu)
2019-09-10 20:58:24

*Thread Reply:* But it is still good for mobile gamers

David F (david.fink@gov.bc.ca)
2019-09-12 18:44:49

*Thread Reply:* ya, I wasn't looking for more reasons for my family to stare at their screens, thanks Apple 👍

Sharkey (lukesharkey@gmail.com)
2019-09-12 18:45:35

*Thread Reply:* Frogger was the headliner game.....sad business

Matthew Shaver (mshaver@us.ibm.com)
2019-09-12 23:25:36

*Thread Reply:* Time is a circle

Jeoffrey Burri (generi@generi.ch)
2019-09-10 20:19:41

Did anyone install iOS 13.1 Beta on an iPad? Does it already identify as iPad OS?

Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-09-10 20:23:56

*Thread Reply:* It does. Running 13.1 on my iPad Pro

Sharkey (lukesharkey@gmail.com)
2019-09-11 13:13:10

ios 13 Seed is available for developers

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-09-11 13:33:39

Is anyone aware, that the golden master of iOS13.0 still has the Bugs with managed open in and the native mail client? Are you guys defering the updates 14 days (19.9 till 30.9) or whats your strategy?

Pierre Michaud (thunderbirt@gmail.com)
2019-09-11 16:41:20

*Thread Reply:* Interesting. First time I hear of it! Might you have access to the document that list this known issue?

Ladislav Blazek (ladislav@lblazek.cz)
2019-09-12 07:39:40

*Thread Reply:* @Wolfgang Bauer yes, we recommend to our customers to wait for 13.1

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-09-12 08:50:03

*Thread Reply:* There is no document for it. You need to test it for yourself to verify.

👍 Pierre Michaud
Jeremy (jeremy@bodokh.com)
2019-09-12 09:27:02

*Thread Reply:* My mail client with exchange server is completely broken. I’m not getting any emails and the app is completely empty apart from the folder list.

Jason (jasonh@bridgeway.co.uk)
2019-09-12 09:39:37

*Thread Reply:* What certs are you running on your Exchange servers? Are they compliant with Apple’s requirements? See: https://support.apple.com/en-us/HT210176

Apple Support
Jeremy (jeremy@bodokh.com)
2019-09-12 09:43:28

*Thread Reply:* Yes it’s compatible. Was working during all the betas and working with iOS 13.1 betas. Seems to only be broken in the GM

Jason (jasonh@bridgeway.co.uk)
2019-09-12 09:44:27

*Thread Reply:* Uh oh, not good.

Ladislav Blazek (ladislav@lblazek.cz)
2019-09-12 09:45:58

*Thread Reply:* Yeah… 13.1 beta 3 is pretty solid. 13 GM is still a mess. Avoid it if possible and wait till 30.9. for 13.1

Jeremy (jeremy@bodokh.com)
2019-09-12 09:52:10

*Thread Reply:* According to some forums, I’m not the only one to have issue with exchange on 13 GM. Wonder if they’ll end up releasing it with broken exchange

Jeremy (jeremy@bodokh.com)
2019-09-12 10:51:51

*Thread Reply:* upgraded the same device to 13.1 Beta 3 and Exchange is now working

👍 Pierre Michaud
Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-09-13 07:32:29

*Thread Reply:* anyone using a defer update policy for this? What do you guys do at release of 13.1? Push the iOS Version manually to the devices?

Kiran Patel (kiran@kiranpatel.net)
2019-09-13 17:48:23

*Thread Reply:* interesting the release notes stated that it was fixed in Beta 6

Kiran Patel (kiran@kiranpatel.net)
2019-09-13 17:48:24

*Thread Reply:* (iOS 13 Beta 6) The allowOpenFromManagedToUnmanaged restriction prevents saving files from managed apps to the local Downloads folder, which is unmanaged.

Ladislav Blazek (ladislav@lblazek.cz)
2019-09-13 17:52:07

*Thread Reply:* Interesting. I am not able to test it now (all my test devices running 13.1 betas). Is someone else able to test and confirm?

aaron (aaron@groundctl.com)
2019-09-11 16:51:45

New video! https://developer.apple.com/videos/play/tech-talks/301/

Apple Developer
👍 Kiran Patel
Boe (bkelley1982@gmail.com)
2019-09-15 05:54:03

@Boe has joined the channel

Dennis Wittig (dennis.wittig@ebf.com)
2019-09-16 08:03:55

@Dennis Wittig has joined the channel

Austin Crider (austincrider@magnolia.com)
2019-09-16 20:33:22

@Austin Crider has joined the channel

Bo Hjortstrand (bo@hjortstrand.com)
2019-09-17 14:49:48

@Bo Hjortstrand has joined the channel

JmB (jean-marc.bichaud@econocom.com)
2019-09-18 09:12:41

hello guys @here, any idea on how to push a Gmail app with a pre-set account on iOS with EMM (MobileIron) ?

NicolasR (raison_nicolas@me.com)
2019-09-18 09:13:15

*Thread Reply:* You can push native account, but Google apps don’t support app config

NicolasR (raison_nicolas@me.com)
2019-09-18 09:13:36

*Thread Reply:* Google apps can use this native account after if i’m not wrong

Andrew Montague (amontague@vmware.com)
2019-09-18 14:41:34

*Thread Reply:* Unfortunately I don't know MobileIron but I do know that in Workspace ONE if the device is enrolled using AfW GMail is considered the 'native' mail client and can be configured by a native mail profile.

Ladislav Blazek (ladislav@lblazek.cz)
2019-09-19 18:55:19

*Thread Reply:* Jean-marc is talking about iOS. No way to configure Gmail app this way on iOS.

Ugnius (ugnius.dainys@danskebank.lt)
2019-09-19 08:31:34

@Ugnius has joined the channel

Sharkey (lukesharkey@gmail.com)
2019-09-19 15:51:59

Anyone else have a real hard time getting into the Enterprise Developer program with Apple? They've been dragging me out for almost 6 months with no explanations on the delays.

Almar Diehl (almar.diehl@blaud.com)
2019-09-19 18:46:02

*Thread Reply:* We were told by Apple that they will try to get as many companies as possible OUT of the Enterprise Developer program. They encourage everyone to start using Custom Apps in Apple Business Manager.

Sharkey (lukesharkey@gmail.com)
2019-09-19 21:42:33

*Thread Reply:* Explains the stonewalling

Sharkey (lukesharkey@gmail.com)
2019-09-19 21:42:36

*Thread Reply:* Thanks

Mark Vonk (mark.vonk@dahvo.com)
2019-09-19 15:57:22

6mo?

Mark Vonk (mark.vonk@dahvo.com)
2019-09-19 15:57:53

No has never been an issue. As long as the contact info you give is correct and you answer the calls from Apple, it all works fine

Sharkey (lukesharkey@gmail.com)
2019-09-19 21:43:28

*Thread Reply:* Been slow with no explanations. Even did a few screening calls.

Jonathan Henson (jon@1fixpc.com)
2019-09-19 21:37:11

@here Apple has updated their terms of service for Apple Business Manager and Device Enrollment Portal. Have your admins login and accept the updated terms of service so that your devices continue to be assigned properly.

👍 Ladislav Blazek, Boe, Jason, Damian, Johannes Harbs, Thomas B.
aaron (aaron@groundctl.com)
2019-09-19 21:55:58

Also, Apple has MOVED UP the iPadOS and iOS 13.1 release dates: they will now be released Tuesday September 24.

👏 DirkC, Boe, Julio, Johannes Harbs, Thomas B.
Guillaume (bruyereguillaume@hotmail.fr)
2019-09-20 21:32:15

@Guillaume has joined the channel

mahiroux (mhyb.mk@gmail.com)
2019-09-24 15:21:12

I have my personal account configured as ‘default account’ and i have received sharepoint approval workflow email with body contains approve and reject options.Starting with iOS 13 devices,When i click’Approve’, email confirmation is sent using my personal account.Is there a way to alter this behavior without changing the default account to my work email?

Thomas B. (tbosboom@apple.com)
2019-09-24 19:34:44

13.1 is live now!

🍾 NicolasR, Ben, Jason
Boe (bkelley1982@gmail.com)
2019-09-26 14:25:39

Random question (feel free to shame me) when we started deploying VPP apps ABM was not a thing so we used what they now called the legacy portal. I know you can get the apps right in ABM so my question to all of you is if I switch to that rather than the legacy portal will that cause any issues for my existing VPP apps? Thanks in advance

Ray Domingue (raydomingue@gmail.com)
2019-09-26 14:29:19

*Thread Reply:* @Boe No shaming. It won't cause any issues. We made the switch too and all of our apps populated in the new ABM portal.

Boe (bkelley1982@gmail.com)
2019-09-26 14:30:22

*Thread Reply:* Thanks @Ray Domingue I appreciate the quick response. Also the shamming was meant to be in good fun after all giving someone a hard time hear and their builds character 😄 or so they say

Boe (bkelley1982@gmail.com)
2019-09-26 14:34:28

*Thread Reply:* @Ray Domingue did it take a little while for all your apps to populate? I just took the plunge and turned it on and I'm not seeing any of my old apps yet

Ajay Patel (ajay5675@msn.com)
2019-09-26 14:35:25

*Thread Reply:* its just classed as a "migration" so it should retain all existing apps just in the new portal. One thing to make sure is the locations setup in ABM and also if you use VPP Purchasing agents. good article is https://support.apple.com/en-gb/HT208817

Apple Support
Boe (bkelley1982@gmail.com)
2019-09-26 14:39:58

*Thread Reply:* Thanks everybody iOS is by far our biggest use case so wanted to make sure before taking the plunge. I love how fast everyone response in here far more efficient then reaching out to support 😄

Ray Domingue (raydomingue@gmail.com)
2019-09-26 14:40:49

*Thread Reply:* "I love how fast everyone response in here far more efficient then reaching out to support" Wait ... Apple offers support? 🤣

🤣 Boe, Julio, Wolfgang Bauer
aaron (aaron@groundctl.com)
2019-09-27 18:51:43

Apple is currently signing iOS 12.4.1, 12.4.2, 13.0, 13.1 and 13.1.1.

👍 Sharkey
NicolasR (raison_nicolas@me.com)
2019-09-27 21:51:51

https://twitter.com/axi0mx/status/1177542201670168576?s=21

twitter
} axi0mX (https://twitter.com/axi0mX/status/1177542201670168576)
👍 Tycho
NicolasR (raison_nicolas@me.com)
2019-09-27 21:52:05

Non techie version:

Any iPhone 8/X or earlier can now be:

  • booted to any iOS version, past/present/future, with no SHSH/APTickets

  • booted to any OS (e.g. Android)

  • compromised by attacker w/physical access, but still requires password (or brute force)for private data

👍 Tycho
😂 Damian
NicolasR (raison_nicolas@me.com)
2019-09-27 21:52:34

*Thread Reply:* Source: https://twitter.com/morpheus______/status/1177574298791370752?s=21

twitter
} 62657156686f6a75636a4d21506a736699a0f1548b (https://twitter.com/Morpheus______/status/1177574298791370752)
Jason Bayton (jason@bayton.org)
2019-09-27 22:02:16

*Thread Reply:* I bet Android would run lovely on their hardware.

💯 Boe
😂 Leon
aaron (aaron@groundctl.com)
2019-09-27 22:50:18

*Thread Reply:*

Dimi (1547@live.co.uk)
2019-09-28 16:00:19

*Thread Reply:* Wow this is huge news nonetheless.

Ladislav Blazek (ladislav@lblazek.cz)
2019-09-28 17:15:34

*Thread Reply:* It is bad but maybe not that bad how it looked at the beginning - see comment #168 - https://forums.macrumors.com/threads/checkm8-exploit-opens-door-to-unpatchable-jailbreak-on-iphone-4s-through-iphone-x.2202080/page-7#post-27815808

MacRumors Forums
Tycho (tycho@schenkeveld.com)
2019-09-28 22:40:34

*Thread Reply:* Some things you mention are only possible once they're actually developed though (e.g. an Android build that can run on such hardware). iOS versions should indeed work.

Also be aware that if you turn it off you have to DFU it to boot again, since the boot rom can't be modified. This exploit is not persistent so it has to be applied on every boot.

By the way as I understand it brute forcing the password/PIN is not possible because the secure element will enforce a number of attempts (10 AFAIK).

Paul Conaty (pconaty@cwsi.ie)
2019-10-03 09:15:18

*Thread Reply:* secure enclave is not compromised AFAIK so data will still be encrypted and brute force of creds not possible. Any jailbreak should still be detected by MDM or MTD in theory so from a corporate data point of view this should not be a high risk item. Obviously monitor closely though as its still very new and be very wary letting your device out of your sight or plugging it into an unknown lightning cable!

👍 Tycho
NicolasR (raison_nicolas@me.com)
2019-10-03 09:16:39

*Thread Reply:* This is what I understood as well

Julian Brennan (jbrennan@vmware.com)
2019-09-30 05:02:48

@Julian Brennan has joined the channel

Alo Press (alo.press@outlook.com)
2019-09-30 07:49:23

@Alo Press has joined the channel

Ajay Patel (ajay5675@msn.com)
2019-09-30 10:46:27

does anyone know of a possible solution to get a whole load of iPads up to date to the latest OS without enrolling them. These are brand new devices still in the box but been sitting in a warehouse for a few months so likely to be running an early version of 12. Obviously we can sit there and put them into DFU and update 1 by 1 using iTunes, but would be great if someone knew a quicker more efficient way?

Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-09-30 10:48:11

*Thread Reply:* If you dont have them enrolled my guess is that you need to do them by hand. Quickest would be to have an USB-hub and connect the devices to Apple Configurator and do a few at a time.

Ajay Patel (ajay5675@msn.com)
2019-09-30 10:49:13

*Thread Reply:* yeah thought this might be the only way, was hoping someone had a miracle solution as there is about 800 iPads that need updating

Jay (jay@project-xy.com)
2019-09-30 10:49:17

*Thread Reply:* ^^yes this! I'm not sure you have any other option really

Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-09-30 11:00:26

*Thread Reply:* Oh, and set up an Apple Caching server as that will speed up the process a LOT!

Jay (jay@project-xy.com)
2019-09-30 11:00:41

*Thread Reply:* 👍:skintone2:

aaron (aaron@groundctl.com)
2019-09-30 12:28:58

*Thread Reply:* GroundControl can do it, if you are willing to do a paid option. Want to reach out?

👍 Justin Butts
Ajay Patel (ajay5675@msn.com)
2019-09-30 15:23:43

*Thread Reply:* 100%! shall i DM?

Ajay Patel (ajay5675@msn.com)
2019-09-30 15:25:12

*Thread Reply:* The customer was about to pay for some temps to come in and do this so paid for option is definitely something they will consider.

Nick Knight (arpknight@gmail.com)
2019-10-01 05:51:23

*Thread Reply:* If you have a Mac, you can install Configurator for free from the store and then hook up as many devices as there are USB ports available and select all - update

Rakesh Ramraj (rakeshkumar2191@gmail.com)
2019-09-30 12:39:05

@Rakesh Ramraj has joined the channel

Bastien B (bastienb@gmail.com)
2019-09-30 12:48:14

@Bastien B has joined the channel

Boe (bkelley1982@gmail.com)
2019-09-30 19:32:31

https://www.theverge.com/2019/9/30/20891705/apple-ios-ipados-13-1-2-now-available-camera-icloud-flashlight-fixes-update

The Verge
Monica Karas (karas_monica@bah.com)
2019-09-30 21:30:14

@Monica Karas has joined the channel

Nick Knight (arpknight@gmail.com)
2019-10-01 05:54:16

Is there another way to force native iOS email to default to HTML? Apart from forcing a signature across all devices that includes a HTML component. WS1

I've found that iOS devices tend to default to plain text emails despite our server side signature being enforced and so the signature is ruined (it requires html to display properly).

Gaurav Patil (gaurav@scalefusion.com)
2019-10-01 06:25:48

@Gaurav Patil has joined the channel

Ray Domingue (raydomingue@gmail.com)
2019-10-01 14:21:37

I posted this in #apple but thought I'd share it here. iOS 13.0 was released on September 19, 2019. iOS 13.1 was released on September 24, 2019 iOS 13.1.1 was released on September 27, 2019. iOS 13.1.2 was released on September 30, 2019.

MarkD (mark.durden@bmcjax.com)
2019-10-01 18:34:13

@MarkD has joined the channel

Ala Almaet (ala@alaalmaet.com)
2019-10-02 00:02:05

@Ala Almaet has joined the channel

Nelson Tauro (tauro.nelson@gmail.com)
2019-10-02 00:12:10

@Nelson Tauro has joined the channel

Gregory LACASSIN (gregory@mobinergy.com)
2019-10-02 09:48:15

@Gregory LACASSIN has joined the channel

Iortx (jorge.barturen@gmail.com)
2019-10-02 09:58:46

@Iortx has joined the channel

Dimi (1547@live.co.uk)
2019-10-02 13:14:26

Hi Folks, can someone recommend a good Endpoint Protection software that integrates with Intune Mobile Threat Defense connector?

MarkD (mark.durden@bmcjax.com)
2019-10-02 14:11:58

I have been asked to architect a mobile standard as a laptop alternative. Some of the designs are easy (iPad Pro, WS1, WS1 Content, Citrix receiver). We are years away from deciding on Office 365. Were I’m struggling is productivity apps, what to choose and how to design.

Any thought are welcomed

aaron (aaron@groundctl.com)
2019-10-02 14:36:34

*Thread Reply:* Does anyone here use Apple’s iWork apps in their org? If not, what is the most effective way you’ve seen iPad be a useful productivity tool in your office?

Thomas B. (tbosboom@apple.com)
2019-10-02 14:38:25

*Thread Reply:* Office is a very narrow subset of where mobile devices can be used. There are some great examples on apple.com/business/ from companies across health, industry, transport and construction where iPad is used way beyond the traditional ‘office’ use-cases.

Thomas B. (tbosboom@apple.com)
2019-10-02 14:39:01

*Thread Reply:* https://www.ben-evans.com/benedictevans/2019/9/27/new-productivity

Benedict Evans
Paul Conaty (pconaty@cwsi.ie)
2019-10-03 09:20:31

*Thread Reply:* i have done work like this for clients. my approach is to do a user persona modelling discovery first i.e. workshops, interviews, surveys with end users to find out what their current workflow looks like and where they think it could be improved. usually end up with 6-8 personas and then i analyse these for opportunities for mobile tooling. typically field workers and data consumers/presenters (think sales reps for example) are good candidates for using tablets and mobile apps. if you have a good BA or BA skills it helps 🙂

MarkD (mark.durden@bmcjax.com)
2019-10-02 14:13:56

re-post on to get exposure on a larger channel

Thomas B. (tbosboom@apple.com)
2019-10-02 14:36:57

@MarkD Maybe involve users from a number of key groups to hear their input…

Damian (support@expertmobilite.com)
2019-10-02 15:47:36

Anyone experiencing issues upgrading their iPad to the latest release? I keep getting « Resume download » after a while...I’ve reset network settings, set to airplane mode/reboot/uncheck airplane mode, removed beta profile etc. There are a few articles out there but maybe there is a huge queue requesting the latest iPadOS? 🤔

NicolasR (raison_nicolas@me.com)
2019-10-03 12:14:15

iOS 13.0 was released on September 19, 2019. iOS 13.1 was released on September 24, 2019 iOS 13.1.1 was released on September 27, 2019. iOS 13.1.2 was released on September 30, 2019. iOS 13.2 beta was released on October 2nd, 2019 😱🤯 seriously Apple...

🤨 Woody
😂 Leon
NicolasR (raison_nicolas@me.com)
2019-10-03 12:15:14

Following this rhythm, we will reach iOS 13.9 on June 2019 😛

😆 Woody, Adrian Patrascu
Ajay Patel (ajay5675@msn.com)
2019-10-03 12:32:10

*Thread Reply:* have you invented a time machine? 😉

🙂 Almar Diehl, NicolasR
DirkC (dcarey@vmware.com)
2019-10-03 13:49:07

*Thread Reply:* Maybe there will be some sort of Moore’s law for iOS updates now? The number of iOS updates will double every year/quarter?

NicolasR (raison_nicolas@me.com)
2019-10-03 13:49:44

*Thread Reply:* ...while the battery life is reduced by 2 every month? 😆

Vimal Sharma (vimal.vml27@gmail.com)
2019-10-03 13:26:38

@Vimal Sharma has joined the channel

Cédric REIN (cedric.rein@mobinergy.com)
2019-10-03 17:14:23

@Cédric REIN has joined the channel

Lukas Braun (lukas.braun@ebf.com)
2019-10-04 16:20:45

@Lukas Braun has joined the channel

Kevin Migliaccio (migliack@einstein.edu)
2019-10-07 11:03:05

@Kevin Migliaccio has joined the channel

Rob Bolton (robertsbolton@hotmail.com)
2019-10-07 13:08:38

@Rob Bolton has joined the channel

KP (hari@hpatel.info)
2019-10-07 13:32:47

@KP has joined the channel

Tobias (tobias.gruenewald@ebf.com)
2019-10-07 13:56:35

Has anyone heard something about when federated authentication will be available for managed Apple IDs in Apple Business Manager? As far as I can tell this is still only available for Apple School Manager. Without this iOS User Enrollment won't be a lot of fun 🙂

👍 Tycho
NicolasR (raison_nicolas@me.com)
2019-10-07 15:54:26

*Thread Reply:* “This Fall”...

NicolasR (raison_nicolas@me.com)
2019-10-07 15:54:30

*Thread Reply:* 😄

Dimi (1547@live.co.uk)
2019-10-07 17:54:16

*Thread Reply:* Could not find anything either. Whois is up for creating accounts the manual way ?

NicolasR (raison_nicolas@me.com)
2019-10-07 17:54:47

*Thread Reply:* 😱

Bilgin (bilginbaldji@yahoo.co.uk)
2019-10-07 23:55:19

*Thread Reply:* I'm also eagerly waiting and kind of dreading the moment.. see someone requested staff to be using Apple ID registered with their corporate email - I'll have a lot to explain about conflicts and why they should start changing their existing IDs

Damian (support@expertmobilite.com)
2019-10-09 13:16:55

*Thread Reply:* Yes we are going to have the exact same issue! It would be nice if Apple could provide a list of users that are using their corporate address currently!

Kiran Patel (kiran@kiranpatel.net)
2019-10-09 14:42:33

*Thread Reply:* There's also the open question on what happens if users have existing "personal" AppleID's with a corporate email address

Tobias (tobias.gruenewald@ebf.com)
2019-10-10 08:14:30

*Thread Reply:* For Apple School Manager, which already has federation, the docs state: Note that standard Apple IDs cannot be converted to Managed Apple IDs. Assuming that ABM will work similar to ASM, this could lead to some serious headache. Maybe you need to create managed IDs like <a href="mailto:john.doe.appleid@company.com">john.doe.appleid@company.com</a> to prevent collisions. But that's just guessing 🙂

MichaelM21 (mike.miller815@yahoo.com)
2019-10-10 18:23:38

*Thread Reply:* So bring me up to speed - the use of managed Apple IDs created with the ABM is only relevant for User Enrollment?

Bilgin (bilginbaldji@yahoo.co.uk)
2019-10-10 22:55:04

*Thread Reply:* @Damian, ASM shows you the conflicts when federation is configured. https://support.apple.com/en-gb/guide/apple-school-manager/apde685676ac/1/web/1 @Tobias, I believe ABM will work like ASM with regards to federation, which means users will get notifications to change the email address used as personal Apple ID (work email address in our case) to something else, or Apple will automatically rename it in 60 days. https://support.apple.com/en-gb/guide/apple-school-manager/apd3bfda7748/1/web/1

Apple Support
Apple Support
👍 Mathieu Beaugrand, Dimi, Tobias
🍎 Tobias
Tobias (tobias.gruenewald@ebf.com)
2019-10-16 14:00:03

*Thread Reply:* @MichaelM21 Currently managed Apple IDs in ABM are only used for assigning administrative roles inside of ABM itself. As soon as User Enrollment becomes available, managed Apple IDs will be used for that mode.

🙏 MichaelM21
Mirco Reimer (slack@mircoreimer.de)
2019-10-08 12:55:58

So User Enrollment Devices with VPP - not device based, correct?

aaron (aaron@groundctl.com)
2019-10-08 13:11:38

*Thread Reply:* Sure it can be device-based VPP if you like. Or user-based. Your choice.

Mirco Reimer (slack@mircoreimer.de)
2019-10-08 13:20:22

*Thread Reply:* with the new user enrollment?

aaron (aaron@groundctl.com)
2019-10-08 13:21:18

*Thread Reply:* I believe so. Why not? Just because there is a Managed Apple ID shouldn’t force you to use user-based app assignment. Device-based offers several advantages.

Mirco Reimer (slack@mircoreimer.de)
2019-10-08 13:22:53

*Thread Reply:* I know, just currently messing around with WS1 and I agree with you on it should but apparently it doesn't 100% want to do stuff - currently assumg it is WS1 as I can see the App then automaticly gets the user assignment though device based is activate it just wont push

Mirco Reimer (slack@mircoreimer.de)
2019-10-08 13:23:38

*Thread Reply:* so it is potentially that or the used vpp token must match the MAIDs location within ABM - documentation, at the least the one I can find, is pretty slim

aaron (aaron@groundctl.com)
2019-10-08 13:24:34

*Thread Reply:* I admit I haven’t tested. But if MAIDs did require user-based app assignment, that would cause problems when trying to use the same app for, say, shared devices with no Apple ID.

Daniel (d.weber@netze-bw.de)
2020-01-14 09:56:04

*Thread Reply:* User Enrollment does not work with device based vpp. only user licensing.

Mirco Reimer (slack@mircoreimer.de)
2019-10-08 12:58:04

Plus matching Location VPP Token to MAID?

EUC_Junkie (sean.barnardo@insight.com)
2019-10-08 19:59:10

@EUC_Junkie has joined the channel

brob (brian.robinson@gartner.com)
2019-10-09 18:45:57

@brob has joined the channel

Norton (norton@us.ibm.com)
2019-10-10 14:58:41

@Norton has joined the channel

Cody Dirrigle (cody.dirrigle@aspirus.org)
2019-10-10 16:49:23

@Cody Dirrigle has joined the channel

Patrick Poelma (patrick.poelma@hcl.com)
2019-10-10 21:50:13

@Patrick Poelma has joined the channel

Alo Press (alo.press@outlook.com)
2019-10-11 07:36:47

Anyone know what software iMore use for their guides? They got really nice magnifying effect.

Alo Press (alo.press@outlook.com)
2019-10-11 07:39:08

Stuff like this

Phil Burk (philburk@mac.com)
2019-10-11 12:55:46

Apple's Preview app does this

👍 Bilgin, Tycho, Alo Press
Phil Burk (philburk@mac.com)
2019-10-11 12:55:51

on macOS

Phil Burk (philburk@mac.com)
2019-10-11 12:56:21

From the Tools menu --> Annotate

Phil Burk (philburk@mac.com)
2019-10-11 12:56:42

then Loupe

Phil Burk (philburk@mac.com)
2019-10-11 12:57:17

And you get a circle that's resizable which will magnify everything inside:

Brian Irish (brian.m.irish@christianacare.org)
2019-10-11 16:40:23

@Brian Irish has joined the channel

mahiroux (mhyb.mk@gmail.com)
2019-10-13 05:42:12

Is it possible to disable iOS native mail viewer?

Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-10-13 09:31:09

*Thread Reply:* you can block it via package name. Some MDM can also remove it via a setting

mahiroux (mhyb.mk@gmail.com)
2019-10-14 14:28:11

*Thread Reply:* Thanks Marc,any idea how to remove this via Mobileiron MDM.The issue i am facing is when a user receives an digitally protected attachment via native mail,upon tapping download,it becomes blank.Hence i am trying to fix this by disabling the automatic opening in the native browser.

John Zmyslowski (John.Zmyslowski@Blackstone.com)
2019-10-14 15:49:55

@John Zmyslowski has joined the channel

Cairo (myron@compassfoundation.io)
2019-10-14 17:51:47

@Cairo has joined the channel

Matthew Shaver (mshaver@us.ibm.com)
2019-10-14 21:21:06

Does anyone have the bundle ID for “Find My” handy?

Matthew Shaver (mshaver@us.ibm.com)
2019-10-14 22:09:00

*Thread Reply:* Thanks. Don’t know why my search didn’t return that. Searching “Find My” is just a PITA

jafullersr (jafuller@starbucks.com)
2019-10-21 20:11:43

*Thread Reply:* https://github.com/joeblau/apple-bundle-identifiers

GitHub
👍 Torben Volkmann
Thibaut Bellon (thibaut@mobinergy.com)
2019-10-15 14:24:45

has anyone ever implemented SSO extension iOS 13 with existings IDP?

👀 aaron, Julio
😒 Brian Irish
Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-10-15 18:15:40

New iOS version, again... https://www.macrumors.com/2019/10/15/ios-13-1-3-released/

macrumors.com
Jeff Mosher (jmosher@ca.ibm.com)
2019-10-17 18:07:10

iOS/Workspace One MDM Question: Has anyone else seen it where the Hub app displays a white screen with a "skip" button at the bottom that does nothing? It doesnt appear affect the functionality of the device or email but it still causes calls to our HelpDesk.

Duncan (duncan@govalux.com)
2019-10-17 22:21:21

Is anyone using Provisional DEP via Apple Configurator 2? I’m wondering how that goes on a somewhat larger scale; meaning many countries. @Almar Diehl maybe have a talk soon?

Almar Diehl (almar.diehl@blaud.com)
2019-10-18 06:36:47

*Thread Reply:* Hi Duncan, let’s plan a call.

Ben (ben@cloudyday.nl)
2019-10-18 23:14:19

*Thread Reply:* Hoi Duncan! Nice to see you here also! It’s no problem to connect from multiple locations with Apple Configurator. I advice to use multiple accounts for that for monitoring and 2FA. But yes, it’s a lot of work.

aaron (aaron@groundctl.com)
2019-10-17 22:25:48

It’s a lot of work for each device, and I do not know of a way to automate provisional DEP. On the other hand, once devices have been added to DEP, they behave just like regular DEP devices.

Doug (doug@kalw.at)
2019-10-18 00:09:20

@Doug has joined the channel

Cedric Lüke (mail@cedric.cc)
2019-10-18 10:58:20

@Cedric Lüke has joined the channel

Peter Mohr (pm@conscia.com)
2019-10-20 14:24:29

@Peter Mohr has joined the channel

drew (hello@drewsecomb.com)
2019-10-20 22:11:33

@drew has left the channel

drew (hello@drewsecomb.com)
2019-10-20 22:12:10

@drew has joined the channel

jafullersr (jafuller@starbucks.com)
2019-10-21 20:15:48

Has anyone here figured out if there is a custom profile to manage iPadOS 13's new option for Safari to make it load desktop versions of a web site by default? Settings > Safari > Request Desktop Website > All Websites (Enabled)

I would like to publish a profile that would disable this setting.

Mark Vonk (mark.vonk@dahvo.com)
2019-10-21 20:21:38

*Thread Reply:* Nothing in the configuration payload documentation that suggests it is possible, so I do not think so.

jafullersr (jafuller@starbucks.com)
2019-10-21 20:33:44

*Thread Reply:* Yeah, I can’t find anything either. But I was hoping for some unpublished XML

aaron (aaron@groundctl.com)
2019-10-21 22:11:20

*Thread Reply:* Naughty.

Peter Mohr (pm@conscia.com)
2019-10-22 06:55:59

*Thread Reply:* But why? SSO issues?

jafullersr (jafuller@starbucks.com)
2019-10-22 18:13:41

*Thread Reply:* iPads aren’t desktops. The UserAgent is updated as macOS when this is enabled.

jafullersr (jafuller@starbucks.com)
2019-10-22 18:14:16

*Thread Reply:* Plus the only option is “All Websites”. Can’t I at least reference which ones I want in “Desktop Mode”? This isn’t Microsoft Edge.

jafullersr (jafuller@starbucks.com)
2019-10-22 23:15:05

*Thread Reply:* Thinking I might try a URLScheme to launch the Settings app to that area and work with folks to toggle it off. 🤷‍♂️

jafullersr (jafuller@starbucks.com)
2019-10-22 23:15:14

*Thread Reply:* Safari ⇾ Request Desktop Website: prefs:root=SAFARI&amp;path=Request%20Desktop%20Website

Nico Hermeling (nico.hermeling@outlook.com)
2019-10-22 08:02:05

@Nico Hermeling has joined the channel

Ajay Patel (ajay5675@msn.com)
2019-10-22 09:36:35

does anyone know if its possible to blacklist certain app categories instead of manually defining a long list of blacklisted apps. The customer currently uses VPP with no public app store, but they are getting fed up with the amount of requests they get from users to publish certain apps and thought of the possiblity of opening up the app store to the user but blacklisting certain categories (i.e. gambling, adult etc)

Ben (ben@cloudyday.nl)
2019-10-22 09:59:24

*Thread Reply:* Unfortunately this is not possible.

Ajay Patel (ajay5675@msn.com)
2019-10-22 10:11:25

*Thread Reply:* thanks @Ben thought as much

Andrew Olpin (andy@olpin.us)
2019-10-22 14:50:37

*Thread Reply:* I thought there used to be the ability to push a restriction based on app rating, but that may be deprecated.

Paul Conaty (pconaty@cwsi.ie)
2019-10-24 11:11:04

*Thread Reply:* You could put something like Wandera on there and use it's categorisation capabilities. They could download a gambling app but not use it or access it via a browser

Paul Conaty (pconaty@cwsi.ie)
2019-10-24 11:11:32

*Thread Reply:* not the best UX but would achieve your goal i think

David F (david.fink@gov.bc.ca)
2019-10-23 22:40:36

Has something changed in the iOS mail app? getting reports the draft folder is not syncing but I don't think it ever did?

AU-Consultant (sambenenge@gmail.com)
2019-10-24 02:50:24

*Thread Reply:* Draft sync was added by MS in ActiveSync 16 (Exchange 2016) and enabled for iOS with 10 - https://support.apple.com/en-us/HT202803, So, if you've been running 2016, you should have had it for a few years now.

Apple Support
Peter Mohr (pm@conscia.com)
2019-10-24 05:53:27

*Thread Reply:* And it still works in iOS 13😀

Cedric Lüke (mail@cedric.cc)
2019-10-24 07:13:50

*Thread Reply:* If you are still on Exchange 2013, there is an additional issue with drafts disappearing from the drafts folder in 13.x, which is fixed with 13.2.

ottseba (ottsebadm@gmail.com)
2019-10-24 09:23:43

@ottseba has joined the channel

JmB (jean-marc.bichaud@econocom.com)
2019-10-24 17:19:36

Hello @here, any idea on how to delete VPP licences on certains apps ? Not deleting all licences but just reducing the volume ? (We have 50000 licences for 10 terminals... it take more than 5 minute to sync licences now )

Ray Domingue (raydomingue@gmail.com)
2019-10-24 17:22:20

*Thread Reply:* @JmB I created another location in ABM and allocated liceneses to that new location. i.e. your 50k you could split it up to 25k to your location and the other 25k to another location you set in ABM. That way in your MDM/UEM you'll see 25k allocated while the other 25k are "hidden". Hope that helps.

👍 ottseba, Thomas B., Dimi, JmB
Pierre (pierre.tabanous@digitaldimension.fr)
2019-10-24 17:22:47

*Thread Reply:* I don’t know if it’s possible. Y+ou could transfer them to another entity/environment...

Peter Mohr (pm@conscia.com)
2019-10-24 17:22:53

*Thread Reply:* With Business Manager or School Manager you could create a new location and transfer some licenses to that other location "Trash location"

jafullersr (jafuller@starbucks.com)
2019-10-24 17:36:07

*Thread Reply:* Yeah, I have a location called VPP Parking Lot and move licensing there when it’s no longer needed or the app is no longer available.

😂 Mirco Reimer, Boe, Marc van der Kooy, Thomas B.
Boe (bkelley1982@gmail.com)
2019-10-24 20:16:04

*Thread Reply:* Holy crap great idea guys this has drove me nuts for awhile now never thought about doing this but will be implementing it shortly 😄

Kiran Patel (kiran@kiranpatel.net)
2019-10-28 22:06:47

*Thread Reply:* @John Zmyslowski FYI!

Dimi (1547@live.co.uk)
2019-10-28 17:44:41

Hi All. Does someone know what is going to happen when I back up a device when it is DEP enrolled into one MDM (BB UEM) and them migrate it to another MDM (Intune) and try to restore it from the backup.

Ray Domingue (raydomingue@gmail.com)
2019-10-28 18:16:09

*Thread Reply:* @Dimi You're backing it up via iCloud?

Dimi (1547@live.co.uk)
2019-10-28 18:19:41

*Thread Reply:* Nothing is set in stone , I need to come up with a process that would allow me to to transfer user data (contacts, photos, personal apps, etc) when I migrate devices from BB UEM to Intune.

Dimi (1547@live.co.uk)
2019-10-28 18:20:32

*Thread Reply:* That led me to a question above.

Nico Hermeling (nico.hermeling@outlook.com)
2019-10-28 18:25:29

*Thread Reply:* Why don‘t you just retire the device in BB UEM and enroll it to Intune? The device is still supervised. Disadvantage is that the user can remove the MDM profile. If you can live with that, I would prefer it.

Dimi (1547@live.co.uk)
2019-10-28 18:30:26

*Thread Reply:* @Nico Hermeling I need a device to be DEP enrolled and Supervised. I believe factory reset is the only way to achieve this.

Dimi (1547@live.co.uk)
2019-10-28 18:31:18

*Thread Reply:* surely it wont be supervised if you enroll it to Intune without DEP.

Nico Hermeling (nico.hermeling@outlook.com)
2019-10-28 18:32:56

*Thread Reply:* It is still supervised. We‘re using this way for our migration projects

Dimi (1547@live.co.uk)
2019-10-28 18:34:04

*Thread Reply:* After enrollment, the only way to turn on supervised mode is to connect an iOS device to a Mac and use the Apple Configurator (which will reset the device). You can’t configure a device for Supervised mode in Intune after enrollment.

Dimi (1547@live.co.uk)
2019-10-28 18:34:17

*Thread Reply:* https://docs.microsoft.com/en-us/intune/remote-actions/device-supervised-mode#turn-on-supervised-mode-after-enrollment

docs.microsoft.com
Matthew Shaver (mshaver@us.ibm.com)
2019-10-28 18:34:17

*Thread Reply:* Here is the expected behavior (tested up to iOS 12, but I don’t believe this has changed in iOS 13): https://mobilepros.org/2019/02/ios-device-management-backup-and-restore-reference-guide/

Dimi (1547@live.co.uk)
2019-10-28 18:35:12

*Thread Reply:* @Nico Hermeling you saying the documentation is incorrect or am I missing something.

Nico Hermeling (nico.hermeling@outlook.com)
2019-10-28 18:35:15

*Thread Reply:* Check it out on your own. If the device was supervised in BB and you just retire it there, it is still supervised

Matthew Shaver (mshaver@us.ibm.com)
2019-10-28 18:37:11

*Thread Reply:* If you back up a device with no management profile or a management profile from another MDM, then wipe it, DEP enroll it in to a new MDM and allow for them to restore previously mentioned backup, the device will not be properly managed.

As mentioned above, it’s probably just better to remove management without resetting the device and manually via Safari or AC enroll in to the new service.

The supervision will remain in the BB name, but that won’t impact management

Tycho (tycho@schenkeveld.com)
2019-10-28 18:48:43

*Thread Reply:* We tried doing this (DEP migraton without factory reset) 2 weeks ago but it's very hit & miss. Sometimes devices show as enrolled but no profiles are there. Other times we get profile installation failed. Sometimes they work OK.

But overall it was hit & miss unfortunately. This was from Workspace ONE to Intune.

Tycho (tycho@schenkeveld.com)
2019-10-28 18:50:54

*Thread Reply:* By the way the backup/restore method did work consistently but only if you don't do the restore during the setup wizard.

Dimi (1547@live.co.uk)
2019-10-28 18:52:14

*Thread Reply:* @Tycho Does it tries to restore MDM profile and apps deployed via previous MDM?

Tycho (tycho@schenkeveld.com)
2019-10-28 18:52:41

*Thread Reply:* Yes it does if you do it during the setup wizard. It broke the intune process (which uses the guided mode)

Tycho (tycho@schenkeveld.com)
2019-10-28 18:52:48

*Thread Reply:* If you restore after it's ok

Tycho (tycho@schenkeveld.com)
2019-10-28 18:53:00

*Thread Reply:* I didn't test this last bit out myself but this is what my colleagues told me

Matthew Shaver (mshaver@us.ibm.com)
2019-10-28 18:53:45

*Thread Reply:* If you do an icloud restore/iTunes restore from a device to a device with the same serial # is when you run in to trouble

Dimi (1547@live.co.uk)
2019-10-28 18:54:36

*Thread Reply:* restoring to same device is a problem?

Matthew Shaver (mshaver@us.ibm.com)
2019-10-28 18:55:57

*Thread Reply:* Yes, if you take a device managed by BB and back it up while managed, then reset that same device, enroll it via DEP to intune, but restore from that iCloud backup during the activation assistant, it will not be managed by inTune. If you restore that same back up to any other device, it will be managed by intune

Matthew Shaver (mshaver@us.ibm.com)
2019-10-28 18:57:22

*Thread Reply:* It gets convoluted - here’s a chart I made

👍 Ray Domingue
Matthew Shaver (mshaver@us.ibm.com)
2019-10-28 18:57:59

*Thread Reply:* This chart doesn’t take in to consideration moving from one service to another, but that’s the same idea as having no management profile in this scenario

Dimi (1547@live.co.uk)
2019-10-28 19:00:10

*Thread Reply:* Thanks guys. I'm going to test this now.

Dimi (1547@live.co.uk)
2019-10-28 19:14:22

*Thread Reply:* @Matthew Shaver in the article you say: the assumption is that all management profile data backups and restores are going through the same MDM/EMM/UEM service, and not during the migration from one solution to another.

Matthew Shaver (mshaver@us.ibm.com)
2019-10-28 19:15:09

*Thread Reply:* Yeah, if you are migrating you’ll still hit issues - it will either restore the old management profile or have no management profile

Matthew Shaver (mshaver@us.ibm.com)
2019-10-28 19:16:30

*Thread Reply:* The rule of thumb is to avoid restoring if the serial numbers are the same and the MDM is changing. Instead just skip restore and have iCloud backup data sync afterwards. The only big items that can’t be recovered in that workflow are SMS and voicemail history - those are only put back via a restore

Matthew Shaver (mshaver@us.ibm.com)
2019-10-28 19:21:12

*Thread Reply:* I should say this could have all changed with iOS 13. I haven’t had an opportunity to do a fresh round of testing since it launched

Dimi (1547@live.co.uk)
2019-10-28 19:26:53

*Thread Reply:* got it

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-11-04 07:47:27

*Thread Reply:* would be interesting what is now the fact in iOS 13

Dimi (1547@live.co.uk)
2019-11-04 20:25:35

*Thread Reply:* It is still the same. DEP enrolment only works if you restore to another device. If you restore to the same device it restores the profile of a previous MDM.

Dimi (1547@live.co.uk)
2019-11-04 20:33:50

*Thread Reply:* FYI @iMZ

Tycho (tycho@schenkeveld.com)
2019-11-05 00:05:17

*Thread Reply:* What we have started doing is deleting the device from the old MDM, then making a backup. The deletion removes the profile and then you can safely restore it.

It's a total PITA though 🙂

Dimi (1547@live.co.uk)
2019-11-06 11:17:24

*Thread Reply:* Need to test that one as well.

Dimi (1547@live.co.uk)
2019-11-07 23:49:40

*Thread Reply:* @Matthew Shaver @Tycho do you know if this is it Intune specific issue or will apply to any MDM.

Matthew Shaver (mshaver@us.ibm.com)
2019-11-07 23:50:08

*Thread Reply:* This will impact any MDM

Matthew Shaver (mshaver@us.ibm.com)
2019-11-07 23:50:52

*Thread Reply:* It would also impact the same MDM if the device were moved from one APNS managed instance to another

Dimi (1547@live.co.uk)
2019-11-08 10:45:01

*Thread Reply:* Thanks

Steven Falconer (stevfal@cdw.com)
2019-10-29 19:37:48

@Steven Falconer has joined the channel

Binitha Anil (binitha.anil@gmail.com)
2019-10-31 11:20:35

@Binitha Anil has joined the channel

Boe (bkelley1982@gmail.com)
2019-10-31 18:58:24

Just an FYI for anyone who might not have seen this yet https://www.theverge.com/2019/10/31/20942043/apple-ios-13-iphone-11-pro-ram-memory-management-app-background-refresh

The Verge
🔥 Matthew Shaver
Matthew Shaver (mshaver@us.ibm.com)
2019-10-31 18:59:55

*Thread Reply:* I’m sure they’ll fix it in 13.1.9 which will be out 10 hours after 13.1.8

Andrew Olpin (andy@olpin.us)
2019-10-31 19:00:19

*Thread Reply:* I think you mean 13.2.1 / 13.2.2

Matthew Shaver (mshaver@us.ibm.com)
2019-10-31 19:01:33

*Thread Reply:* I’m still catching up on the freshly released 10.3.4

🤣 Andrew Olpin
Boe (bkelley1982@gmail.com)
2019-10-31 19:02:06

*Thread Reply:* ROFL

Justin Butts (justin.butts777@gmail.com)
2019-10-31 19:04:35

*Thread Reply:* anyone else catch that someone developed something for iOS that keeps location tracking alive persistently despite the background app being killed?

Justin Butts (justin.butts777@gmail.com)
2019-10-31 19:05:49

*Thread Reply:* We're seeing this on ManageEngine...app is killed, hasn't been opened in a day at least and it's still reliably reporting locations up to date, I've never had reliable iOS location trails from any other MDM. Anyone know anything about new dev functions for location ased tracking in recent iOS updates?

Andrew Olpin (andy@olpin.us)
2019-10-31 19:09:37

*Thread Reply:* Hmmm....I know we (Lookout) use the network helper to automatically wake our app up whenever the device moves or changes networks (VPN, wifi, cell, etc). It's fairly solid.

✅ Woody
Justin Butts (justin.butts777@gmail.com)
2019-10-31 19:11:18

*Thread Reply:* ^That's interesting - I wasn't aware of that functionality

Justin Butts (justin.butts777@gmail.com)
2019-10-31 19:11:21

*Thread Reply:* Thank you

Woody (eric.woodland@trust.tc)
2019-10-31 19:13:08

*Thread Reply:* @Andrew Olpin Didn’t the MobileIron client used to use location changes to keep their apps alive as well? It’s been awhile, but that’s what I remember them actually needing location services to accomplish.

Andrew Olpin (andy@olpin.us)
2019-10-31 19:44:09

*Thread Reply:* Yes, indeed it did. I think the difference is that the network helper allows for more than just location changes. It also includes networks changes, even if the device is stationary.

Andrew Olpin (andy@olpin.us)
2019-10-31 19:49:01

*Thread Reply:* MobileIron also changed their wakeup strategy to APNS messages. That's another option here, if the service is sending "keep awake" APNS pings.

Justin Butts (justin.butts777@gmail.com)
2019-10-31 19:57:49

*Thread Reply:* This is super insightful - would like to test MI out too as I'd rather present just about anything but ManageEngine to folks lol

Justin Butts (justin.butts777@gmail.com)
2019-10-31 19:58:28

*Thread Reply:* In MaaS360 for instance, getting accurate location info for an iOS device outside the first 24 hours of enrollment is exceedingly rare

Andrew Olpin (andy@olpin.us)
2019-10-31 19:58:35

*Thread Reply:* What, specifically, are you trying to do with the product? Is this for fleet management, or just basic back-of-house EMM?

Justin Butts (justin.butts777@gmail.com)
2019-10-31 19:59:15

*Thread Reply:* both really - a huge chunk of our client base is construction so fleet mgmt is a huge concern, we generally outfit them with Androids

Justin Butts (justin.butts777@gmail.com)
2019-10-31 19:59:24

*Thread Reply:* but some folks have already invested in iPads and deployed them

Andrew Olpin (andy@olpin.us)
2019-10-31 19:59:53

*Thread Reply:* Hmmm....I'd suggest you start with GroundControl (@aaron) and see where they can take you.

Andrew Olpin (andy@olpin.us)
2019-10-31 20:00:25

*Thread Reply:* I haven't kept up on all the ins and outs of the product, but back in my MobileIron days they were a great partner for fleet management.

Andrew Olpin (andy@olpin.us)
2019-10-31 20:01:38

*Thread Reply:* For basic MDM / EMM, I wa surprised at how much I liked Cisco's Meraki product. It doesn't have a lot of advanced features, but it was easy to use, and the user UI was solid.

Andrew Olpin (andy@olpin.us)
2019-10-31 20:04:57

*Thread Reply:* Also, a bunch of your customers may be using Microsoft Office 365, and may already have EMS licenses which include Intune. While I find intune a bit frustrating to use as an admin, for no-frills EMM it'll get the job done...and potentially with no added costs.

Justin Butts (justin.butts777@gmail.com)
2019-10-31 20:27:45

*Thread Reply:* InTune is the enemy

Justin Butts (justin.butts777@gmail.com)
2019-10-31 20:50:47

*Thread Reply:* haha

Paul Conaty (pconaty@cwsi.ie)
2019-11-01 09:25:28

*Thread Reply:* Intune won't do location tracking... period

Justin Butts (justin.butts777@gmail.com)
2019-11-01 16:20:12

*Thread Reply:* @Paul Conaty Wait seriously?

Paul Conaty (pconaty@cwsi.ie)
2019-11-01 17:21:22

*Thread Reply:* Yep. Lost mode only https://practical365.com/clients/mobile-devices/can-microsoft-intune-see-managed-mobile-devices/

Practical 365
Keith Freeze (keith.freeze@gmail.com)
2019-10-31 21:46:53

@Keith Freeze has joined the channel

Jason (jasonh@bridgeway.co.uk)
2019-11-01 08:58:09

*Thread Reply:* At last! Yay!

RamananScalefusion (ramanan@scalefusion.com)
2019-11-01 13:06:20

@RamananScalefusion has joined the channel

iMZ (mark_zimmermann@me.com)
2019-11-02 10:57:24

Does anyone have a table in which "DEP / Supervised", "Supervised" and "non Supervised" devices are compared? What are the differences, which ones can be backed up and restored ?

Justin Butts (justin.butts777@gmail.com)
2019-11-04 15:45:21

*Thread Reply:* https://blog.scalefusion.com/ios-supervised-vs-unsupervised-benefits-of-supervising-ios-devices/##targetText=Supervised%20vs%20Unsupervised%20Devices&targetText=iPhones%20and%20iPads%20can%20be,only%20to%20a%20certain%20extent.

Scalefusion Blog | MDM, EMM, Product Updates ,Thought Leadership &amp; SaaS
Dimi (1547@live.co.uk)
2019-11-04 20:32:01

*Thread Reply:* Back up is tricky though. It breaks DEP enrolment if you restore. You can only restore to a new device.

JeroenK (j.kruit@zetacom.nl)
2019-11-04 08:08:02

@JeroenK has joined the channel

Nitsan Palgi (nitsan@tmgltd.co.il)
2019-11-04 08:48:11

@Nitsan Palgi has joined the channel

Justin Butts (justin.butts777@gmail.com)
2019-11-04 21:01:38

anyone else aware of an apparent 13.2 bug returning a "Device must be enrolled interactively" error - and then when going to reset via iTunes receiving error "Turn off Find My iPhone" ? These are brand new DEP devices, and may only be an issue when restoring from a backup with a previous management profile on it

Matthew Shaver (mshaver@us.ibm.com)
2019-11-04 21:22:28

*Thread Reply:* There is another thread floating around with this question - seems to be impacting every solution. We've opened an Apple ticket for it, but I haven't seen any traffic on it yet

👍 Yth, Dana Baker
Justin Butts (justin.butts777@gmail.com)
2019-11-04 21:35:47

*Thread Reply:* Yeah I saw first reports coming out of InTune

Justin Butts (justin.butts777@gmail.com)
2019-11-04 21:35:53

*Thread Reply:* just saw our own on MaaS

Woody (eric.woodland@trust.tc)
2019-11-11 16:15:59

*Thread Reply:* Anyone heard more on this? MI Support hasn’t been able to draw any real conclusions. Not that I expect them to at this point.

Woody (eric.woodland@trust.tc)
2019-11-11 16:20:19

*Thread Reply:* Following-up on this thread….

Matthew Shaver (mshaver@us.ibm.com)
2019-11-11 16:26:09

*Thread Reply:* The only workflow on which we’ve been able to reliably reproduce the behavior is utilizing the proximity setup option

🤔 Woody
Justin Butts (justin.butts777@gmail.com)
2019-11-12 17:55:26

*Thread Reply:* We just saw another one with a brand new AT&T Device order. Restore was attempted

Justin Butts (justin.butts777@gmail.com)
2019-11-12 17:55:53

*Thread Reply:* over this weekend

Justin Butts (justin.butts777@gmail.com)
2019-11-12 17:56:04

*Thread Reply:* Replacing with a brand new device

Woody (eric.woodland@trust.tc)
2019-11-12 19:22:53

*Thread Reply:* Ugh @Justin Butts. That’s gotta be frustrating for carriers

Sharkey (lukesharkey@gmail.com)
2019-11-15 18:25:49

*Thread Reply:* So replacing the device is the only solution to this?

Woody (eric.woodland@trust.tc)
2019-11-15 18:27:23

*Thread Reply:* @Sharkey I’ve not heard anything official from Apple, but it sounds like that has been the only definitive way to fix the issue at this moment.

Sharkey (lukesharkey@gmail.com)
2019-11-15 18:28:01

*Thread Reply:* Ouch. Just had one reported here

Matthew Shaver (mshaver@us.ibm.com)
2019-11-15 18:28:02

*Thread Reply:* Apple told us in their “We are Investigating” response to try a factory reset. Some workflows seem to reproduce more consistently than other - I can make it happen every time I use proximity setup for example

Sharkey (lukesharkey@gmail.com)
2019-11-15 18:28:27

*Thread Reply:* Having her restore it now.

Sharkey (lukesharkey@gmail.com)
2019-11-15 19:28:01

*Thread Reply:* We don't allow restores with DEP and an itunes restore did not help. DFU doesn't help either?

Matthew Shaver (mshaver@us.ibm.com)
2019-11-15 19:55:22

*Thread Reply:* Is the user restoring a backup or using proximity setup at all?

Sharkey (lukesharkey@gmail.com)
2019-11-15 19:58:12

*Thread Reply:* I'm checking with the Telecom person

Sharkey (lukesharkey@gmail.com)
2019-11-15 20:58:17

*Thread Reply:* They used iTunes to try and restore. She gave him a different device. I’m picking up the problem child device next week for testing.

Matthew Shaver (mshaver@us.ibm.com)
2019-11-15 21:00:31

*Thread Reply:* I would also ask them to try activating without doing the iTunes restore. I'd bet thats the culprit

👍 Sharkey
Sharkey (lukesharkey@gmail.com)
2019-11-15 21:05:42

*Thread Reply:* Probably so. But they already moved on :)

Jordan Philip (jordan.philip@mobilesolutions.net)
2019-11-19 19:01:32

*Thread Reply:* Has anyone on this thread received any updates? Just trying to find some documentation/acknowledgement from Apple that I can pass on to my customers.

Matthew Shaver (mshaver@us.ibm.com)
2019-11-20 15:38:07

*Thread Reply:* Just an acknowledgement by Apple that they’ve received numerous reports and that they are investigating.

👍 Sharkey, Woody
Sharkey (lukesharkey@gmail.com)
2019-11-20 15:48:36

*Thread Reply:* And that's a-lot from Apple ;)

Jordan Philip (jordan.philip@mobilesolutions.net)
2019-11-20 22:24:08

*Thread Reply:* Yay, FYI, 13.2.3 is also experiencing this. Pandemonium ensuing... wouldn't it be wonderful if people just bought more iCloud storage space and moved on with their lives without previous iPhone backups? Just sign in people...

😆 Woody
Jordan Philip (jordan.philip@mobilesolutions.net)
2019-12-04 17:24:50

*Thread Reply:* Just had a 13.2.3 device go through this process without fail...

👍 Woody
Justin Butts (justin.butts777@gmail.com)
2019-11-04 21:03:46

Apple allegedly replacing devices and acknowledging a bug

Justin Butts (justin.butts777@gmail.com)
2019-11-04 21:06:47

logging into iCloud on browser and removing the device seemingly no impact

Bram Dc (bram.de.corte@xylos.com)
2019-11-06 10:46:46

@Bram Dc has joined the channel

Michael Goad (michaelpat87@gmail.com)
2019-11-07 13:58:10

I get alot of questions from users on how to find their ABM/DEP/ORG ID (however you want to call it 🙂). To hopefully save some emails for the community, here is a video I made on how to find your orgs ABM ID and add a reseller to your ABM portal. https://youtu.be/Kif1sXJJAdE

YouTube
} 5 Minute Mobility (https://www.youtube.com/channel/UCIRva9i8y-SuAq7PiyuZB8g)
👍 Adrian Patrascu, Matthew Shaver, Tycho, Phil Hackett, Woody
Woody (eric.woodland@trust.tc)
2019-11-07 23:04:12

*Thread Reply:* Nice @Michael Goad!

Michael Goad (michaelpat87@gmail.com)
2019-11-07 23:04:29

*Thread Reply:* Thanks!

EricKender (ekender@mobileiron.com)
2019-11-07 20:06:54

@EricKender has joined the channel

Michael Troelstrup (MICHAEL@TECHORCHARD.COM)
2019-11-09 20:01:13

@Michael Troelstrup has joined the channel

Jason Pascual (jp@apple.com)
2019-11-10 14:31:26

@Jason Pascual has joined the channel

Aamir Khan (aamir.tauqir@outlook.com)
2019-11-11 06:02:22

@Aamir Khan has joined the channel

Dimi (1547@live.co.uk)
2019-11-11 07:07:23

Semi tethered Jailbreak https://checkra.in/#release

checkra.in
Wannes De Boodt (wannes.de.boodt@proximus.com)
2019-11-11 11:57:54

@Wannes De Boodt has joined the channel

Dave Hess (dhess@vmware.com)
2019-11-11 13:25:10

@Dave Hess has joined the channel

Woody (eric.woodland@trust.tc)
2019-11-12 20:05:28

Do we have the ability to arrange a logical grouping of apps on a supervised device? I know this was not possible previously, but it’s been a while since I attempted it.

aaron (aaron@groundctl.com)
2019-11-12 22:24:17

*Thread Reply:* @Woody you mean folders? Pages? Yes you can do all with home screen icon arrangement. Usually a standard EMM feature.

Woody (eric.woodland@trust.tc)
2019-11-12 22:25:23

*Thread Reply:* @aaron Yeah - I just found it. Last time I was doing it, I was lending profile templates from Configurator. Now they’ve been added to the main list of iOS Policies in MobileIron. Crafting one now 🙂

jafullersr (jafuller@starbucks.com)
2019-11-14 22:37:59

*Thread Reply:* Keep in mind that any apps that are not listed in your profile will be pushed to the first empty space on screen. Also, web clips can’t be organized (from what I’ve seen/experienced).

👍 Woody
Woody (eric.woodland@trust.tc)
2019-11-15 15:25:10

*Thread Reply:* @thanks @jafullersr!

DirkC (dcarey@vmware.com)
2019-11-15 15:52:20

*Thread Reply:* Webclips can be organized, but you will most likely need to apply custom XML unless it has been added to the MDM’s GUI.

Woody (eric.woodland@trust.tc)
2019-11-15 16:23:39

*Thread Reply:* @DirkC - Yes sir! Current MDM (MI Core) has it included in the GUI.

jafullersr (jafuller@starbucks.com)
2019-11-15 17:13:48

*Thread Reply:* @DirkC Have you been able to get web clips organized? None of what I’ve attempted works. Could you share your success?

DirkC (dcarey@vmware.com)
2019-11-15 17:15:20

*Thread Reply:* The Home screen layout profile is basically a nested array of items. The web clips should be created within the profile itself to be ordered correctly.

jafullersr (jafuller@starbucks.com)
2019-11-15 17:29:38

*Thread Reply:* Oh. We can’t do that. I’ll test it out though. Thanks!

DirkC (dcarey@vmware.com)
2019-11-15 17:35:33

*Thread Reply:* Unfortunately web apps created by a web clip profile are not given unique identifiers 😞 Maybe Apple will make some change with a future update.

jafullersr (jafuller@starbucks.com)
2019-11-15 17:36:10

*Thread Reply:* Yup. That was why I couldn’t figure out how to do it. Makes sense when it’s in the same profile that you’d have more control.

Kyle McKee (kyle@techorchard.com)
2019-11-14 20:56:02

@Kyle McKee has joined the channel

Derek H (derekharkin@gmail.com)
2019-11-14 21:15:01

@Derek H has joined the channel

Cody Dirrigle (cody.dirrigle@aspirus.org)
2019-11-16 00:40:03

so got abm connected to azure and now it says we have 468 people using @ourdomain for appleid and they could request to have them change it but I thought if I took the option to "Include “appleid” subdomain in each domain" this would avoid that issue?

Simon Hardy-Bistagne (simon@smnhdy.com)
2019-11-16 09:41:37

*Thread Reply:* It would yes.

Cody Dirrigle (cody.dirrigle@aspirus.org)
2019-11-17 20:59:33

*Thread Reply:* that seems to not work, I have a ticket open with apple to see what they say

iMZ (mark_zimmermann@me.com)
2019-11-16 10:57:05

Some interesting from Germany : https://www.comconsult-akademie.de/ios-im-unternehmen/

iOS sessions

ComConsult Akademie - Seminare. Kongresse. Zertifizierungen.
Bubbaglia (roberto.tramelli@gmail.com)
2019-11-16 13:08:59

@Bubbaglia has joined the channel

Damian (support@expertmobilite.com)
2019-11-18 14:37:37

QQ: have a VIP locked out of iOS as his passcode isn’t working. He swears that it was working today and stopped post reboot of his iOS (device MDM registered on AirWatch). As his passcode isn’t working and there is no network to clear the passcode via AW, has anyone successfully managed to send the command if the device is connected via a lightning to Ethernet adapter? Don’t have an adapter here to test unfortunately...

Johannes Harbs (harbs.johannes@gmail.com)
2019-11-18 14:38:54

*Thread Reply:* Use a SIM card without SIM Pin. That way, the device will connect to cellular even before it is unlocked.

👍:skin_tone_2: Simon Hardy-Bistagne, Julio, Damian, Tycho
Matthew Shaver (mshaver@us.ibm.com)
2019-11-18 14:42:54

*Thread Reply:* Yes, I have had success tethering it to a network cable to get around the SIM lock

👍 Damian, Tycho
Julio (julio.vita@hotmail.de)
2019-11-18 14:50:31

*Thread Reply:* SIM Card without SIM PIN is always the easiest way to fix this

Damian (support@expertmobilite.com)
2019-11-18 15:04:48

*Thread Reply:* If you knew how fast Orange work here...anything we ask takes a month to get sorted

🤣 Tycho
Damian (support@expertmobilite.com)
2019-11-18 15:05:35

*Thread Reply:* I’ve ordered a lightning to Ethernet cable to get around this - delivery Wednesday

Damian (support@expertmobilite.com)
2019-11-18 15:06:53

*Thread Reply:* Curious if anyone is seeing this behaviour as we’ve had a few reports recently that the passcode is not working post reboot ?

Damian (support@expertmobilite.com)
2019-11-18 15:07:56

*Thread Reply:* As we force passcode renewal every 90 days, Is it finally being pushed due to big? Will have to extract the logs! Hopefully not late to get them before the cable arrives

Matthew Shaver (mshaver@us.ibm.com)
2019-11-18 15:10:32

*Thread Reply:* I’ve had varying degrees of luck. Only the cellular data is supposed to be locked after the restart, and the device should be able to connect to wifi if auto join was enabled, but I have trouble getting that to work in some scenarios (such as on captive networks). There really should be some sort of connectivity option on that lock screen after reboot.

Damian (support@expertmobilite.com)
2019-11-18 15:11:08

*Thread Reply:* Wi-Fi is definitely not working for us

Damian (support@expertmobilite.com)
2019-11-18 15:11:20

*Thread Reply:* And it’s a saved profile with auto-join

Damian (support@expertmobilite.com)
2019-11-18 15:12:32

*Thread Reply:* I think I’m going to open a case with Apple enterprise support to get the definitive word on this...was reading that since iOS 12 they might have closed this Ethernet connection option

Mark Vonk (mark.vonk@dahvo.com)
2019-11-18 16:03:13

*Thread Reply:* The problem is that the device is still in a secure lock stage after the reboot. It does not connect to wifi until the password is at least entered once. We do see it on occasion on other MDMs but typically discount it as a user error. Never had it myself. With the recent iOS release bugs and a somewhat similar snafu on MacOS however (@Jason Bayton reported one here and i had the same issue) it just might be an iOS issue

Matthew Shaver (mshaver@us.ibm.com)
2019-11-18 16:04:59

*Thread Reply:* I can reproduce that behavior in Apple Configurator too - if I use that to reset the device passcode after a reboot - the console comes up with an error that the action can’t be completed. I asked Apple about this once and they said that the behavior for AC is different than if an MDM does the actions. THey said it should be able to connect to wifi (this coming directly from an engineer) but this runs counter to the behavior we actually witnessed. It’ll be interesting to see what they say to you

Mark Vonk (mark.vonk@dahvo.com)
2019-11-18 16:08:06

*Thread Reply:* I always believed that key material stored in the keychain is not accessible until the user enters the password following a reboot. At least that is my experience and always thought this caused the wifi not to connect. So my experience is indeed also opposite of what the Apple engineer said.

👍 Thomas B.
Mark Vonk (mark.vonk@dahvo.com)
2019-11-18 16:13:54

*Thread Reply:* Actually, it is even described by Apple in the ios security guide: https://www.google.com/url?sa=t&source=web&rct=j&url=https://www.apple.com/business/docs/site/iOS_Security_Guide.pdf&ved=2ahUKEwi6ho7VkvTlAhVLa1AKHVNOAl8QFjAAegQIBhAB&usg=AOvVaw3Ujo8tzl-eehO9Buh7Q4iQ

Page 21.

An wifi password is only accessible after first unlock. Certificates are always accessible though. So i guess it depends on the Wifi network configured.

Matthew Shaver (mshaver@us.ibm.com)
2019-11-18 16:21:27

*Thread Reply:* Which tracks with it not working on captive networks - but if I use my mobile hotspot with a passcode on it, the action will work.

Damian (support@expertmobilite.com)
2019-11-18 18:03:50

*Thread Reply:* I’ve opened a case to get a definitive answer on this and won’t let up until I have all I need. Let me know if there any questions you’d like answered around this topic ;)

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-11-19 08:04:04

*Thread Reply:* the only thing we observed since ios 13 is, that devices are sometimes slow when you try to enter your passcode. And if you enter the digits to fast, not all entries are taken, which results in errors

Damian (support@expertmobilite.com)
2019-11-19 08:13:22

*Thread Reply:* Definitely noticed that! Also this here: https://www.theverge.com/2019/10/31/20942043/apple-ios-13-iphone-11-pro-ram-memory-management-app-background-refresh

The Verge
Kiran Patel (kiran@kiranpatel.net)
2019-11-20 09:16:27

*Thread Reply:* Does the VIP have this issue with an iPhone or iPad? We recently had a issue where the iPad Pro with an Apple keyboard was defaulting to caps lock which is why the passcode wasn’t being taken. Again not sure if they have a numeric pin or complex but figured it was worth sharing

Damian (support@expertmobilite.com)
2019-11-21 17:23:36

*Thread Reply:* Removing the pin from the SIM of my phone and putting it in the affected device allowed the clear passcode push to hit the device and thus resolved the issue...yes it really was that simple...who would have thought but for some reason my head was stuck in carrier mode and not disabling the goddamn pin from within the iOS setting...! Just awaiting log analysis from support!

Julio (julio.vita@hotmail.de)
2019-11-19 15:03:47

Hi, I wanted to play around with User Enrollment, even though we don’t use Azure AD. I created the managed Apple ID myself in ABM and then followed the instructions under this link: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1910/iOS_Platform/GUID-F680F0CB-5BEB-4EDE-A885-72392AFE938C.html When I try to enroll the device, I receive an error which basically tells me that the account could not be registered and I’d have to contact the admin (myself). What is missing for me in the instructions, is the part where the WSO console comes to know about the managed Apple ID so that I can actually use it. Anybody in here who had some similar issues or maybe already sees what I’m doing wrong?

DirkC (dcarey@vmware.com)
2019-11-19 15:20:35

*Thread Reply:* Did you ensure that the OG that you are enrolling into has User enrollment enabled : https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1910/iOS_Platform/GUID-9759D1D5-D76C-4139-BF7A-8965F50E353F.html as well as require MDM agent for iOS is not enabled?

docs.vmware.com
Julio (julio.vita@hotmail.de)
2019-11-19 15:22:25

*Thread Reply:* Yup, both things are as mentioned

DirkC (dcarey@vmware.com)
2019-11-19 15:30:21

*Thread Reply:* Able to translate that error message?

Julio (julio.vita@hotmail.de)
2019-11-19 15:33:29

*Thread Reply:* „Your account could not be registered. Please talk to your system admin.“

DirkC (dcarey@vmware.com)
2019-11-19 15:34:50

*Thread Reply:* If you turn off user enrollment at that OG, does it work?

DirkC (dcarey@vmware.com)
2019-11-19 15:35:32

*Thread Reply:* Looks like you shouldn’t even get to the portion where it asks for a password when user enrollment is enabled at the OG.

Simon Hardy-Bistagne (simon@smnhdy.com)
2019-11-19 15:41:43

*Thread Reply:* I dont believe that "User Enrolment" and the Azure AD // ABM connection are interlinked.

They are separate subjects not reliant on each other.

The Azure connection is just to that users can use their corporate credentials as their apple ID, and user enrolment is just a form of iOS "Work Profile" enrolment, which is not reliant on any specific corporate apple id.

**Turns out I'm wrong... :)

Julio (julio.vita@hotmail.de)
2019-11-19 15:45:14

*Thread Reply:* @DirkC “User credentials are invalid”, is what I get then.

DirkC (dcarey@vmware.com)
2019-11-19 15:46:46

*Thread Reply:* Sounds like something is wrong with your user.

Julio (julio.vita@hotmail.de)
2019-11-19 15:46:48

*Thread Reply:* @Simon Hardy-Bistagne Ah okay, thanks for claryfication. Still I’ll have to dig deeper in order to find out, how to make this scenario work for me.

DirkC (dcarey@vmware.com)
2019-11-19 15:49:17

*Thread Reply:* @Simon Hardy-Bistagne @Julio User enrollment requires a Managed Apple ID to function (MAID). You can either create the IDs manually, or federate to Azure AD.

DirkC (dcarey@vmware.com)
2019-11-19 15:51:14

*Thread Reply:* Workspace ONE UEM has the user install a special management profile that will have the user input their managed Apple ID email address an password within a special GUI. Sounds like Julio may be running into an issue with the user.

DirkC (dcarey@vmware.com)
2019-11-19 15:55:13

*Thread Reply:* Are you able to ensure that the enrollment organization group of the user is set to the OG where user enrollment is enabled and that a duplicate user account with the same email address doesn’t exist?

Julio (julio.vita@hotmail.de)
2019-11-19 15:58:53

*Thread Reply:* Yes

iMZ (mark_zimmermann@me.com)
2019-11-20 13:19:46

Has any of you seen User Enrollment fully functional ? Enterprise iCloud - not working ! Enterprise contacts , calendar and reminder also not ! What's going on ? #ios13

Julio (julio.vita@hotmail.de)
2019-11-20 13:36:31

*Thread Reply:* The instrunctions on how to make it work without Azure AD in Workspace ONE are already a hot mess. Tried it yesterday and didn’t get it to work.

Mirco Reimer (slack@mircoreimer.de)
2019-11-20 21:18:42

*Thread Reply:* works fine here in regards of the WS1 guide

MichaelM21 (mike.miller815@yahoo.com)
2019-11-22 12:27:03

*Thread Reply:* What if the email is already registered as a private Apple ID? Is there a solution for that? I mean the solution of course could be to use the recommended subdomain as an managed apple id.. like user@managed.company.com. I know there is no possibility to convert existing private apple ids into managed apple id (except having the user change the domain of the private apple id so the original email domain frees up)

Julio (julio.vita@hotmail.de)
2019-11-22 12:59:28

*Thread Reply:* Learned yesterday, if it is a company domain that is assigned in ABM it can be claimed by the company. User gets informed and has 60 days to remove his personal data from it. After those sixty days it becomes a Managed Apple ID.

MichaelM21 (mike.miller815@yahoo.com)
2019-11-22 15:23:11

*Thread Reply:* Really? And this is triggered when creating that particular managed Apple ID?

Julio (julio.vita@hotmail.de)
2019-11-22 15:32:29

*Thread Reply:* As far as I was told, yes. But would have to try it to confirm it. Got that info from a certified Apple trainer in an iOS 13 training yesterday.

🙏 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-11-22 15:39:55

*Thread Reply:* Very cool information, thank you. Will also try this.. On that same note: Do you know if there is a way to do a bulk creation or only one by one possible?

Julio (julio.vita@hotmail.de)
2019-11-22 15:41:11

*Thread Reply:* Raised that same question yesterday. He said using CSVs that you can upload to ABM would give you that possibility. It would have to follow a specific template, that I haven‘t seen yet, but it should be possible.

🙏 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-11-22 15:46:21

*Thread Reply:* Sounds good! 👌

Julio (julio.vita@hotmail.de)
2019-11-22 15:57:57

*Thread Reply:* 👍:skintone5:

jafullersr (jafuller@starbucks.com)
2019-11-25 18:54:35

*Thread Reply:* Federation is the best approach as local Apple ID creation, even in bulk may have unintended consequences when attempting to manage the services and access those ids have. For instance, I have heard anecdotally that local, managed Apple IDs have issues with User-based Enrollment. The success of enrollment is not consistent when using them. Whereas, federated identities tied to managed Apple IDs work consistently.

👍 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-11-25 20:00:44

*Thread Reply:* Does it matter which IdP is in place? Like PingFederate, ADFS, etc? Is this just for Azure AD?

Bram Dc (bram.de.corte@xylos.com)
2019-11-26 22:57:24

*Thread Reply:* @Julio after the 60 days the personal appleid gets assigned a random username , so that the company email can be used as a managed appleid. The personal doesnt auto transfer to managed

Julio (julio.vita@hotmail.de)
2019-11-27 05:35:51

*Thread Reply:* Good to know, thanks @Bram Dc

MichaelM21 (mike.miller815@yahoo.com)
2019-11-27 10:28:02

*Thread Reply:* But as far as I was told this feature works only for the federated authentication, not when adding managed apple ids manually or via CSv

Bram Dc (bram.de.corte@xylos.com)
2019-11-28 15:52:02

*Thread Reply:* Indeed only for federated accounts

MichaelM21 (mike.miller815@yahoo.com)
2019-11-28 16:47:26

*Thread Reply:* Since you mentioned SSO.. at one point the user has to provide the password, right? Or can this be done seamless?

jafullersr (jafuller@starbucks.com)
2019-12-03 00:04:37

*Thread Reply:* Federated means that your users will use the existing password for the identity that is federated to ABM. For example, I have an ID called me@me.com. This identity is what I would use to authenticate and thus I would use the password associated with that identity service. Behind the scenes, Apple creates an managed Apple ID that is obfuscated from the user, but assigned based off of your ABM settings.

Sam Senior (CWSI) (ssenior@cwsi.ie)
2019-11-20 17:10:47

@Sam Senior (CWSI) has joined the channel

ZPatrick (zine.tala@gmail.com)
2019-11-22 00:36:00

@ZPatrick has joined the channel

JJ MacLean (jj@gsmaclean.com)
2019-11-22 03:34:34

@JJ MacLean has joined the channel

Jere Jutila (jere.jutila@miradore.com)
2019-11-25 20:17:56

@Jere Jutila has joined the channel

Tim (tim.struik@blaud.com)
2019-11-26 10:16:43

@Tim has joined the channel

Damian (support@expertmobilite.com)
2019-11-26 13:59:49

It seems that apps are allowed more time in the background since iOS 13.2.3 as reported here where they were being killed more often: https://www.theverge.com/platform/amp/2019/10/31/20942043/apple-ios-13-iphone-11-pro-ram-memory-management-app-background-refresh

theverge.com
Govi (byodmdm@gmail.com)
2019-12-02 15:14:58

@Govi has joined the channel

Florian FERRAND (florian.ferrand@econocom.com)
2019-12-03 14:26:31

@Florian FERRAND has joined the channel

Carl Bjorklund (Carl.bjorklund@econnectivity.se)
2019-12-06 08:00:40

@Carl Bjorklund has joined the channel

Simon (sudeepn@vmware.com)
2019-12-09 18:14:56

@Simon has joined the channel

Chris Avedissian (avedissianc@gmail.com)
2019-12-09 20:49:41

@Chris Avedissian has joined the channel

Boe (bkelley1982@gmail.com)
2019-12-11 14:06:22

Does anyone know if it's possible to push a home page or bookmark to Chrome on iOS by chace?

Peter Mohr (pm@conscia.com)
2019-12-11 14:38:03

Not to Chrome...

} Boe Kelley (https://mobilxperts.slack.com/team/UHZ53L3RQ)
Boe (bkelley1982@gmail.com)
2019-12-11 14:38:50

*Thread Reply:* Thanks Peter that's what I figured I hadn't found a way to do so but figured I would ask in case someone had some black magic up their sleeve :D

Matthew Shaver (mshaver@us.ibm.com)
2019-12-11 15:44:47

*Thread Reply:* Don’t know why they support App Config on Android but not on iOS

Johannes Harbs (harbs.johannes@gmail.com)
2019-12-11 14:39:53

Does anyone else experience DEP sync issues? We have two customers with two WS1 On-Premise environments each(hosted in Germany), which all fail to sync new devices. Token refresh did not solve the issue.

Bram Dc (bram.de.corte@xylos.com)
2019-12-11 15:05:58

Does the following sound familiair, when the iPhone is idle for a while notifications are not coming trough from message either sms or whatsapp. The phone is not on disturbed and when the phone is used recently everything Works fine

aaron (aaron@groundctl.com)
2019-12-11 15:44:55

Hi all! Yesterday Apple released an updated online deployment guide for iPhone/iPad. https://support.apple.com/guide/deployment-reference-ios/welcome/web

Apple Support
Matthew Shaver (mshaver@us.ibm.com)
2019-12-11 15:45:33

*Thread Reply:* Nice! Thanks Aaron

aaron (aaron@groundctl.com)
2019-12-11 15:46:02

*Thread Reply:* Nothing new in here, if you’ve been following the iOS 13 updates, as far as I can tell. But some documentation is more clearly written.

MichaelM21 (mike.miller815@yahoo.com)
2019-12-11 17:22:11

Anyone else having issues with notifications for new emails with the native client on iOS 13? Sync is set to push but certain devices only receive new mails when opening the mail client. Is there a know issue, never seen this before. (Exchange On-Premise with MobileIron Sentry & Core, Basic Auth)

Norton (norton@us.ibm.com)
2019-12-11 18:06:22

*Thread Reply:* yes I've been having issues as well. I will sometimes have to force close the mail app to have it reload. Manual refresh will not work

Mark Vonk (mark.vonk@dahvo.com)
2019-12-11 18:26:26

*Thread Reply:* Up until 13.2.3 there where many issues with mail notifications. These are known issues with Apple and I believe most of it is solved now with 13.3

🙏 MichaelM21
Boe (bkelley1982@gmail.com)
2019-12-11 18:51:05

*Thread Reply:* Each release of 13 has address some sort of email issue hopefully 13.3 finally fixes the last of them but only time will tell.

🙏 MichaelM21
Boe (bkelley1982@gmail.com)
2019-12-11 18:51:06

*Thread Reply:* https://support.apple.com/en-us/HT210393

·        Fixes issues in Mail that may prevent downloading new messages ·        Addresses an issue that prevented deleting messages in Gmail accounts ·        Resolves issues that could cause incorrect characters to display in messages and duplication of sent messages in Exchange accounts

Apple Support
🙏 MichaelM21
mahiroux (mhyb.mk@gmail.com)
2019-12-12 19:08:32

*Thread Reply:* Few of my users have been facing issue deleting emails from their Apple native mail app. Deleted mails appear again in the inbox. They are all on iOS 13.2.

Jeoffrey Burri (generi@generi.ch)
2019-12-12 20:33:43

Hello all. I deferred iOS 13 through MDM. It's the first time I did that, so I'm wondering: on the 18., when the 90 days are reached, will the devices update to just 13.1 or can they jump up to 13.3? Assuming the deferral policy is still active on the device.

aaron (aaron@groundctl.com)
2019-12-12 21:22:05

*Thread Reply:* Hi @Jeoffrey Burri! They shouldn’t update automatically. Rather, they will prompt the user to update to 13.0. The user can decline.

aaron (aaron@groundctl.com)
2019-12-12 21:23:21

*Thread Reply:* https://support.apple.com/guide/mdm/defer-software-updates-mdm02df57e2a/web

Apple Support
aaron (aaron@groundctl.com)
2019-12-12 21:23:45

*Thread Reply:* This example in particular: > For example, you have an iPhone fleet running the latest version of iOS 12 and you have applied a deferred software update payload of 90 days to all of them. As the table above illustrates, iPhone users begin to have iOS 13.0 offered to them on December 18, 2019, as 90 days have passed since the launch of iOS 13.0.

aaron (aaron@groundctl.com)
2019-12-12 21:24:55

*Thread Reply:* You may consider removing the deferral restriction, so users are prompted for 13.3 instead.

Jeoffrey Burri (generi@generi.ch)
2019-12-12 21:49:13

*Thread Reply:* Thanks @aaron! My users are not allowed to decline any update I generously decided to offer them 🙂. I'll remove the deferral altogether since many bugs got fixed in the mean time.

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-12-13 08:14:12

*Thread Reply:* BTW. dont try combining deferal with allowing a specific version to update to. It simply doesnt work properly

AU-Consultant (sambenenge@gmail.com)
2019-12-13 01:32:28

iOS per-app VPN question for you... I know it is possible to apply per-domain VPN for Safari, but is it possible to route all Safari traffic via a per-app VPN? Is this as easy as putting an asterisk into the Safari Domains field?

Doug316 (dougwill316@gmail.com)
2019-12-13 06:21:34

@Doug316 has joined the channel

iMZ (mark_zimmermann@me.com)
2019-12-16 20:55:08

Can anybody send me a screenshot with an enterprise iCloud icon / setting ?

Sharkey (lukesharkey@gmail.com)
2019-12-19 16:50:52

Anyone have some links to the new DEP customization screens for iOS Apple is releasing? Videos etc.

Sharkey (lukesharkey@gmail.com)
2019-12-19 16:51:22

I've seen them around but can't remember where by now 👀

iMZ (mark_zimmermann@me.com)
2019-12-19 16:59:34

*Thread Reply:* SimpleMDM allowed me to generate my own screen ... it’s there since 13.0

Sharkey (lukesharkey@gmail.com)
2019-12-19 18:06:03

*Thread Reply:* Realize that, just looking for some demonstration videos etc

iMZ (mark_zimmermann@me.com)
2019-12-19 17:07:33

Did somebody know this ? Is the PushMagic within the iOS Backup ? Local / iCloud ?

mathijs (mathijs.de.ruiter@fondo.nl)
2019-12-23 10:52:50

@mathijs has joined the channel

Danny V. (danny.valladares@icloud.com)
2019-12-26 16:08:33

@Danny V. has joined the channel

Wannes De Boodt (wannesdeboodt@gmail.com)
2020-01-04 12:05:35

@Wannes De Boodt has joined the channel

JaR3 (reesemachine@gmail.com)
2020-01-11 21:35:05

@JaR3 has joined the channel

Julian Brennan (julian.brennan@m2k.com.au)
2020-01-13 03:01:37

@Julian Brennan has joined the channel

Woody (eric.woodland@trust.tc)
2020-01-13 20:20:33

Can DEP set device name similar to how Configurator does?

Sharkey (lukesharkey@gmail.com)
2020-01-13 20:24:08

*Thread Reply:* Yep. Supervised is supervised.

Woody (eric.woodland@trust.tc)
2020-01-13 20:26:05

*Thread Reply:* @Sharkey Is that a config that is pushed post DEP wizard?

Sharkey (lukesharkey@gmail.com)
2020-01-13 20:27:24

*Thread Reply:* Yeah. Part of the managed settings I believe.

Woody (eric.woodland@trust.tc)
2020-01-13 20:28:44

*Thread Reply:* K. Trying to find it in MI Core. Don’t know if they included it in the UI

Sharkey (lukesharkey@gmail.com)
2020-01-13 20:29:58

*Thread Reply:* It’s not a profile for sure. At least in WS1.

Woody (eric.woodland@trust.tc)
2020-01-13 20:31:30

*Thread Reply:* I wonder if we can set a device name prefix and have it generate based on that…

Sharkey (lukesharkey@gmail.com)
2020-01-13 20:32:58

*Thread Reply:* Possible in WS1. Not sure if it sticks in settings. Might have to set a restriction profile to grey it out.

Woody (eric.woodland@trust.tc)
2020-01-13 20:35:36

*Thread Reply:* Where is it located in WS1? I’ve checked most areas in MI Core but perhaps I’m overlooking it

Sharkey (lukesharkey@gmail.com)
2020-01-13 20:39:22

*Thread Reply:* Never mind. Wrong spot

Sharkey (lukesharkey@gmail.com)
2020-01-13 20:39:49

*Thread Reply:*

👍 Michael Troelstrup, Cedric Lüke
Stephen (stephen.stansfield@oa.mo.gov)
2020-01-13 21:03:28

*Thread Reply:* Also have to either allow name changes (not applying the block profile) or be iOS 13+

👍 Woody
Almar Diehl (almar.diehl@blaud.com)
2020-01-13 21:03:43

*Thread Reply:* In MI Core as of 10.5 you can create a Change Device Name policy for supervised devices.

👍 Woody
Almar Diehl (almar.diehl@blaud.com)
2020-01-13 21:04:35

*Thread Reply:*

Woody (eric.woodland@trust.tc)
2020-01-14 14:26:32

*Thread Reply:* Nice! I’ll get our DEV up to 10.5. Thanks @Almar Diehl and @Stephen

Phill (phill_mcsherry@hotmail.com)
2020-01-14 04:58:02

@Phill has joined the channel

Gregory (gregory.troalen@gmail.com)
2020-01-14 08:20:56

@Gregory has joined the channel

Tobias (tobias.gruenewald@ebf.com)
2020-01-14 14:49:09

Does anyone already have experience with managed Apple IDS and using them for arbitrary Apple services? We are in the process of federating our main mail domain with Apple Business Manager. Existing Apple IDs using that mail domain need to be renamed or will be renamed automatically after the grace period. We currently have no idea if the new managed Apple IDs can be used in other Apple portals that we use as a company like Apple Dev network or Apple eCommerce portal. Did anyone already move through that process and can share some insights?

iMZ (mark_zimmermann@me.com)
2020-01-15 06:29:52

*Thread Reply:* That would be interesting...

Derek H (derekharkin@gmail.com)
2020-02-04 23:09:43

*Thread Reply:* We got the word that they should be able to be used everywhere, a couple of months ago there were some exceptions but not anymore

Woody (eric.woodland@trust.tc)
2020-01-16 16:06:41

Anyone found a way to scan a QR code to join WiFi during iOS setup wizard? Looking to avoid handing-out a SSID/PSK for the network we’re going to use to enroll devices

Tycho (tycho@schenkeveld.com)
2020-01-16 16:08:47

*Thread Reply:* I don't think so, but you know people will figure that out in 2 minutes right? There's always a smartass in every office that will tell everyone the key and within a week every unauthorised device will be on it 🤣 (I know because I used to be one of those smartasses before I was in IT)

😆 Woody, Jason
Tycho (tycho@schenkeveld.com)
2020-01-16 16:09:27

*Thread Reply:* I view QR more as a convenience feature rather than to hide the PSK

👍 Woody
Marc van der Kooy (marc.vanderkooy@gmail.com)
2020-01-16 17:04:35

*Thread Reply:* @Woody why not create a temp wifi just for the enrollment with simple password?

Nick (nickdiaz@gmail.com)
2020-01-16 18:16:00

*Thread Reply:* At one organization, I created a dedicated SSID named "Provisioning" open network, no PSK. It was throttled to 1mbps, and was filtered to only allow access to Apple, Google and the MDM. The WAP was tuned to low power that only spanned a radius of the provisioning rooms within the building.

Woody (eric.woodland@trust.tc)
2020-01-16 19:59:27

*Thread Reply:* @Nick That’s actually more the direction we’re going. A Provisioning network with limilted access/bandwidth.. to be used strictly to ramp-up into EMM.

👍 Nick, Jason
David F (david.fink@gov.bc.ca)
2020-01-16 17:56:33

Hey all. Just looking to confirm iOS wifi password sharing would not share domain based credentials. We use domain credentials for corp wifi I should say.

iMZ (mark_zimmermann@me.com)
2020-01-21 10:26:13

Nettes Seminar (Deutsch) : https://www.comconsult-akademie.de/ios-im-unternehmen/

ComConsult Akademie - Seminare. Kongresse. Zertifizierungen.
Balaji Arumugam (BArumugam.CAI@transitchicago.com)
2020-01-21 16:47:57

@Balaji Arumugam has joined the channel

Woody (eric.woodland@trust.tc)
2020-01-24 14:39:45

Curious - Who’s gone down the path of entirely disabling use of iOS native Mail/Calendar/Contacts in favor of the Google GMail/Calendar apps (for use with GSuite)? Well received or not?

Stephen (stephen.stansfield@oa.mo.gov)
2020-01-24 14:45:11

*Thread Reply:* Their is not a contacts app from Google you have to use the iOS native one

Woody (eric.woodland@trust.tc)
2020-01-24 14:47:05

*Thread Reply:* @Stephen yeah, we were discussing that using CardDAV. My thinking is that the two aren’t going to integrate well

Stephen (stephen.stansfield@oa.mo.gov)
2020-01-24 14:53:49

*Thread Reply:* Google's own advice is to use the native contacts and google account profile I am not sure how you would integrate CardDAV and would only do so with a really really good reason, once you have contacts you get mail and calendar so you might as well use them native plus all apps with a send email button go to native

Woody (eric.woodland@trust.tc)
2020-01-24 16:17:32

*Thread Reply:* Right @Stephen? That’s my thought as well. Don’t mix/match

Damian (support@expertmobilite.com)
2020-01-24 14:47:40

Hello, does anyone know if it’s possible to obtain the MAC address of authorised iOS devices through an API call to the ABM? We would like to pre-authorise all corporate devices on our WiFi network before starting their enrollment on WS1 UEM.

Stephen (stephen.stansfield@oa.mo.gov)
2020-01-24 15:03:58

*Thread Reply:* Mac address is not a field that ABM gives out

Andrew Olpin (andy@olpin.us)
2020-01-24 15:32:27

*Thread Reply:* Is there a reason you're using a MAC filter? Spoofing a MAC address is pretty easy. Might work better to do something like certificate based auth, and have WS1 deploy the certificates and wifi config on enrollment.

👍 Tycho
Tycho (tycho@schenkeveld.com)
2020-01-24 15:35:48

*Thread Reply:* @Andrew Olpin Yeah that's exactly what we do. It offers great security.

But I suppose @Damian is looking to do this to facilitate the enrolment itself. This is actually a tough point for us too. If a device has no 4G (like most iPads we have) it's really annoying to get them onboarded because our guest network times out too quickly.

Paul Conaty (pconaty@cwsi.ie)
2020-01-24 15:35:59

*Thread Reply:* Definitely, I would go with RADIUS auth using certs

Paul Conaty (pconaty@cwsi.ie)
2020-01-24 15:36:49

*Thread Reply:* for enrolment i would suggest a dedicated enrolment SSID with minimal restrictions and then deploy the corporate SSID via MDM

👍 Mark Vonk
Marc van der Kooy (marc.vanderkooy@gmail.com)
2020-01-24 18:43:45

*Thread Reply:* @Tycho Create a hidden "Apple Store" network without password. oops did i say that out loud? 🤔

Damian (support@expertmobilite.com)
2020-01-26 18:15:07

*Thread Reply:* Should have explained a bit better! Our corp Wi-Fi is actually outsourced so it’s public in a sense that requires registration via SMS and only lasts 24h. We need to register all corporate iOS devices’ MAC address before enrollment begins. Might just have to poll our carrier’s database or export of some kind.

Paul Conaty (pconaty@cwsi.ie)
2020-01-28 16:48:05

*Thread Reply:* roundabout option but if you had a simple secondary wi-fi box you could attach them all to then you could export the MAC addresses from there maybe

John Zmyslowski (John.Zmyslowski@Blackstone.com)
2020-01-28 16:25:07

Has anyone heard of the below issue in the GA Version of iOS 13.3?? Any insight would be greatly appreciated. • New mail item arrives and notification is displayed on screen • Item does not appear in the inbox, but in the deleted items folder in an unread state. Appears to happen with users hosted in Exchange Online or Exchange 2010 on-prem. Exchange audit log shows a "MoveToDeletedItems" Action from the mailbox owner for the item.

Melkon Torosyan (melkon.torosyan@sbb.ch)
2020-01-29 14:06:33

@Melkon Torosyan has joined the channel

Timothy Byler (timothy@compassfoundation.io)
2020-01-29 16:25:57

Does anyone have a source for documentation for the Apple ABM API calls

DirkC (dcarey@vmware.com)
2020-01-29 17:57:19

*Thread Reply:* My understanding is that the ABM API is only available to MDM partners and is not published due to them not being customer-facing.

Phil Burk (philburk@mac.com)
2020-01-29 20:31:15

*Thread Reply:* Other partners have some documentation as well but @DirkC is correct - you have to be a partner of Apple to have access to that.

DirkC (dcarey@vmware.com)
2020-01-29 20:32:11

*Thread Reply:* Maybe one day Apple will expose a REST API endpoint for public consumption.

🤞 DirkC, Timothy Byler, Cedric Lüke
aaron (aaron@groundctl.com)
2020-01-29 22:14:03
aaron (aaron@groundctl.com)
2020-01-29 22:18:50

*Thread Reply:* Or is that the legacy DEP Portal documentation?

Mikey2000 (mscottscranton079@gmail.com)
2020-01-30 15:40:09

@Mikey2000 has joined the channel

Shane (wright.shane@live.com)
2020-01-31 16:55:34

@Shane has joined the channel

Damian (support@expertmobilite.com)
2020-02-03 16:55:31

Just started a thread on the workspace one forum if anyone wants to contribute? Thanks https://mobilxperts.slack.com/archives/C1V75UE76/p1580748855065200

} Damian McMahon (https://mobilxperts.slack.com/team/U73U07BFH)
Patrick Hogeboom (p.hogeboom@zetacom.nl)
2020-02-05 12:28:34

@Patrick Hogeboom has joined the channel

iMZ (mark_zimmermann@me.com)
2020-02-06 10:46:36

How can i delete a complete ABM for my company permanently ?

Matthew Shaver (mshaver@us.ibm.com)
2020-02-06 18:18:52

*Thread Reply:* I believe the only way is to contact Apple Support

Ray Domingue (raydomingue@gmail.com)
2020-02-10 21:51:05

*Thread Reply:* @iMZ Out of curiosity ... why are you wanting to completely remove ABM from your company?

Andre Nguyen (donion23@yahoo.com)
2020-02-06 14:56:46

@Andre Nguyen has joined the channel

Jason Logsdon (jason@logsdon.cc)
2020-02-10 22:33:13

@Jason Logsdon has joined the channel

Drew Miller (drew.miller@alaskaair.com)
2020-02-12 21:48:21

@Drew Miller has joined the channel

Denis MICHEL (dmi@itsibelem.com)
2020-02-13 14:31:46

@Denis MICHEL has joined the channel

Thomas TERRIEN (tte@itsibelem.com)
2020-02-13 14:35:50

@Thomas TERRIEN has joined the channel

gregos000 (gsa@itsibelem.com)
2020-02-13 14:49:11

@gregos000 has joined the channel

Yohann MORISSEAU (ymo@itsibelem.com)
2020-02-14 14:37:26

@Yohann MORISSEAU has joined the channel

Nick Knight (arpknight@gmail.com)
2020-02-21 01:32:45

Hey guys can we legally virtualise a Mac? We need a Mac for Configurator 2 as we use the update and backup features.

Sharkey (lukesharkey@gmail.com)
2020-02-21 01:33:44

*Thread Reply:* Legal? The OS itself is free. I use Mac VMs all the time for DEP deployment engineering.

Nick Knight (arpknight@gmail.com)
2020-02-21 01:34:22

*Thread Reply:* Thanks, was just checking if there was anything in the T&C's regarding VMs

Sharkey (lukesharkey@gmail.com)
2020-02-21 01:36:00

*Thread Reply:* Haven’t read anything specific from Apple. Sure they would discourage it. If worried by yourself an old, cheap Mac mini. It will do the job.

Nick Knight (arpknight@gmail.com)
2020-02-21 01:38:52

*Thread Reply:* Can I ask what VM environment you are running? Wondering if we can store the VM on a network server and have USB passthrough to connect devices to the local machine

Sharkey (lukesharkey@gmail.com)
2020-02-21 01:41:03

*Thread Reply:* I’m just running them in a Mac using parallels. Nothing fancy.

Peter Mohr (pm@conscia.com)
2020-02-21 07:13:09

*Thread Reply:* I seem to remember that you are only allowed to run macOS on Apple hardware. You can use Parallels/Fusion/etc on your MacBook/MacMini but are not allowed to run the same VM in VMware Workstation on Windows....

Nick Knight (arpknight@gmail.com)
2020-02-21 07:25:42

*Thread Reply:* Thanks, that's the impression I'm getting too, plus the fact I think the Mac VM only runs on Mac hardware

Peter Mohr (pm@conscia.com)
2020-02-21 07:49:11

*Thread Reply:* Ahh. You can actually get the Mac to run in a VM on Windows - so I've heard :)

Tycho (tycho@schenkeveld.com)
2020-02-21 09:59:40

*Thread Reply:* Yes you can do it with donk's unlocker on Windows, not legally of course.

Cool thing is on ESXi if you install it on a Mac it will automatically enable macOS guests.

Jay (jay@project-xy.com)
2020-02-21 10:02:09

*Thread Reply:* Yes as stated above its only “legal” to run OSX VM’s on Mac hardware and normally apple only allow host + 2 OSX VM’s under the EULA

Niklas Jenslöv (niklas.jenslov@gmail.com)
2020-02-24 07:11:15

@Niklas Jenslöv has joined the channel

Bennie L. Callies, Jr. (bennie.callies@symphonytalent.com)
2020-02-24 17:13:29

@Bennie L. Callies, Jr. has joined the channel

Anders Hermansson (anders.hermansson@techstep.se)
2020-02-28 14:40:32

@Anders Hermansson has joined the channel

Bo Snitkjær Nielsen (snitkjaer@gmail.com)
2020-03-02 21:12:20

@Bo Snitkjær Nielsen has joined the channel

Woody (eric.woodland@trust.tc)
2020-03-03 14:57:44

On iOS, the GMail client is the best for my users. We don’t need any of the native apps. Prove me wrong 🙂

🤦‍♂️ Boe
Peter Mohr (pm@conscia.com)
2020-03-03 15:13:36

*Thread Reply:* native mail: great integration with your on-device services Gmail (or Outlook or other 3rd party): less integration with on-device services (maps etc) but perhaps better integration with backend services

👍 Woody
Woody (eric.woodland@trust.tc)
2020-03-03 15:22:21

*Thread Reply:* @Peter Mohr Oh, and… Google has GMail AND Google Calendar. Those will sync contacts to our user’s device for phone calls, right?

🤦‍♂️ Woody
Peter Mohr (pm@conscia.com)
2020-03-03 15:46:44

*Thread Reply:* @Woody maybe, but my point is integration. If you want your users to be able to use their contacts for Siri, for Maps, for other 3rd party apps etc then you might need to go Native. It also depends on your level of GDPR compliance 🙂 As an example, if you use MS Outlook and want to have contacts and callerId, then you need to enable iCloud sync for your contacts. This puts corporate contacts in a person iCloud <> GDPR compliant... Then you need to limit contacts to stay inside Outlook and then you have lost your users... Perhaps GMail is different, I don't know...

Woody (eric.woodland@trust.tc)
2020-03-03 15:48:14

*Thread Reply:* @Peter Mohr Totally know where you’re coming from. My statement above was received from my counterparts who maintain our GSuite service

Peter Mohr (pm@conscia.com)
2020-03-03 15:48:51

*Thread Reply:* @Woody 🙂 I figured. just trying to put in arguments to help you...

🙂 Woody
Peter Mohr (pm@conscia.com)
2020-03-03 15:49:27

*Thread Reply:* but basically you need to choose between on-device integration and back-end integration

Peter Mohr (pm@conscia.com)
2020-03-03 15:49:49

*Thread Reply:* I choose on-device integration whenever I can !!

Woody (eric.woodland@trust.tc)
2020-03-03 15:50:23

*Thread Reply:* Great way to look at it though! The back-end integration in this case is less than existent. On-device is certainly preferred.

🙂 Peter Mohr
Nico Hermeling (nico.hermeling@outlook.com)
2020-03-03 15:56:29

*Thread Reply:* Does GMail has CallKit integrated to identify the caller ID without syncing contacts to native contacts app?

✅ Woody
Peter Mohr (pm@conscia.com)
2020-03-03 15:59:00

*Thread Reply:* @Nico Hermeling even if it has CallKit I'd also like to be able use my contacts from Waze, Paypal, Messages, Maps etc... CallKit doesn't help there.

Nico Hermeling (nico.hermeling@outlook.com)
2020-03-03 16:01:44

*Thread Reply:* It was a general question, not in regards of your point of view.

✅ Woody
Peter Mohr (pm@conscia.com)
2020-03-03 16:03:14

*Thread Reply:* I know 🙂 my point was that callKit is not super important (but relevant for sure)

Peter Mohr (pm@conscia.com)
2020-03-03 17:32:32

*Thread Reply:* Google Hangouts support callkit, but GMail doesn't as far as I can tell. Google Contacts is synced using the "accounts and passwords" in native settings UI

Peter Mohr (pm@conscia.com)
2020-03-03 17:33:49

*Thread Reply:* @Woody last point: GMail can't be configured using MDM on iOS (again, to my knowledge) and thus Native is better 🙂

We don't want/need users to do anything to get rolling. We'll set everything up for them

✅ Woody
Damian (support@expertmobilite.com)
2020-03-03 15:50:28

Does anyone know if iOS « user enrollment » allows the creation of a passcode for the « work » side? I can’t find info on this. We want to stop enforcing a passcode change on the entire change for our users on personal devices.

👍 Woody
Woody (eric.woodland@trust.tc)
2020-03-03 15:51:17

That’s a good Q @Damian. I need to get back to PoCing User Enrollment

Sharkey (lukesharkey@gmail.com)
2020-03-03 15:51:56

Doubtful since Apple doesn’t want you to feel separated.

Damian (support@expertmobilite.com)
2020-03-03 15:52:26

Well they are making efforts here so fingers crossed

Peter Mohr (pm@conscia.com)
2020-03-03 16:00:54

"we don't believe in dual-personas" - some Apple dude (Jobs?) user enrollment is about privacy and not about dual-personas. There's no "work challenge" as Android Enterprise hsa

Stephen (stephen.stansfield@oa.mo.gov)
2020-03-03 16:01:02

You may want to look if you can just stop requiring passcode changes security guidelines do not recommend it anymore

Peter Mohr (pm@conscia.com)
2020-03-03 16:02:40

@Stephen yes. stop forcing users to change. make it longer (6-8-10 and maybe even add some complexity) and stay let it stay the same...

Damian (support@expertmobilite.com)
2020-03-03 16:04:50

Interesting

Damian (support@expertmobilite.com)
2020-03-03 16:05:30

@Stephen You got a link to these security guidelines for iOS?

Stephen (stephen.stansfield@oa.mo.gov)
2020-03-03 16:10:42

Not iOS specific they are general ones https://arstechnica.com/information-technology/2019/06/microsoft-says-mandatory-password-changing-is-ancient-and-obsolete/ and they are not the only ones

Ars Technica
👍 Thomas B., Damian
Dimi (1547@live.co.uk)
2020-03-03 21:20:53

*Thread Reply:* NIST recommended this in 2017, majority of companies are struggling to accept this new recommendation.

Paul Conaty (pconaty@cwsi.ie)
2020-03-04 07:26:30

*Thread Reply:* check the NCSC guidelines on this. good reference https://www.ncsc.gov.uk/collection/passwords/updating-your-approach

ncsc.gov.uk
👍 Damian
Paul Conaty (pconaty@cwsi.ie)
2020-03-04 07:27:32

*Thread Reply:* also Cyber essentials have good guidance https://www.cyberessentials.ncsc.gov.uk/requirements-for-it-infrastructure

Cyber Essentials
Paul Conaty (pconaty@cwsi.ie)
2020-03-04 07:28:06

*Thread Reply:* relevant section of Cyber Essentials guidance Password-based authentication The Applicant must make good use of the technical controls available to it on password-protected systems. As much as is reasonably practicable, technical controls and policies must shift the burden away from individual users and reduce reliance on them knowing and using good practices. Users are still expected to pick sensible passwords. For password-based authentication in Internet-facing services the Applicant must: • protect against brute-force password guessing, by using at least one of the following methods: • lock accounts after no more than 10 unsuccessful attempts • limit the number of guesses allowed in a specified time period to no more than 10 guesses within 5 minutes • set a minimum password length of at least 8 characters • not set a maximum password length • change passwords promptly when the Applicant knows or suspects they have been compromised • have a password policy that tells users: • how to avoid choosing obvious passwords (such as those based on easily-discoverable information like the name of a favourite pet) • not to choose common passwords — this could be implemented by technical means, using a password blacklist • not to use the same password anywhere else, at work or at home • where and how they may record passwords to store and retrieve them securely — for example, in a sealed envelope in a secure cupboard • if they may use password management software — if so, which software and how • which passwords they really must memorise and not record anywhere The Applicant is not required to: • enforce regular password expiry for any account (we actually advise against this — for more information see The problems with forcing regular password expiry) • enforce password complexity requirements

ncsc.gov.uk
👍 Woody, Damian
iMZ (mark_zimmermann@me.com)
2020-03-06 08:30:39

Does anyone know an overview when to use the profile manager of macOS server and when to use Jamf, MobileIron or something else ?

Prip (prithviprasadk@hotmail.com)
2020-03-06 10:36:51

Guys, Is there a minimum required version of Intelligent Hub for IOS 13. Logs show - MDM Break requested on device after update to iOS 13?

Rajesh Kumar (rajes20@gmail.com)
2020-03-06 13:13:45

Any idea how we can add or access shared mailbox on ios devices via native email app if user is on O365..??

Nico Hermeling (nico.hermeling@outlook.com)
2020-03-06 13:32:22

*Thread Reply:* As far as I know, shared mailboxes are not supported for ActiveSync. Outlook Mobile uses Exchange Web Services, which support it.

Rajesh Kumar (rajes20@gmail.com)
2020-03-06 13:33:17

*Thread Reply:* Yes..thanks nic...got it..

Nick Knight (arpknight@gmail.com)
2020-03-06 22:19:43

*Thread Reply:* Outlook app on O365 will do it

Ray Domingue (raydomingue@gmail.com)
2020-03-06 22:29:10

*Thread Reply:* Outlook > Settings > Add Mail Account (under Mail Accounts) > Add Shared Mailbox

aaron (aaron@groundctl.com)
2020-03-06 13:22:20

The native Outlook mail app allows this, I believe.

Steven (steven@pro.incogni.ch)
2020-03-09 09:31:41

@Steven has joined the channel

Nima (nima@zandi.dk)
2020-03-10 07:06:36

@Nima has joined the channel

Viktor Dmitriev (Viktor.Dmitriev@bluecue.de)
2020-03-10 10:45:38

@Viktor Dmitriev has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2020-03-12 13:04:05

Is it possible to configure the hotspot „APN“ for iOS devices with MI Core (cellular policy)?

Thomas B. (tbosboom@apple.com)
2020-03-12 16:31:24

*Thread Reply:* Should be, https://support.apple.com/guide/mdm/cellular-mdma34b7357/1/web/1

Apple Support
Nico Hermeling (nico.hermeling@outlook.com)
2020-03-12 17:00:21

*Thread Reply:* Policies & Config / Configurations / Add New / Apple / iOS / tvOS / APN ?

Nico Hermeling (nico.hermeling@outlook.com)
2020-03-12 17:01:06

*Thread Reply:*

Mikey2000 (mscottscranton079@gmail.com)
2020-03-13 07:41:04

*Thread Reply:* This APN config was deprecated a long time ago and only configures the APN, not the personal hotspot

Mikey2000 (mscottscranton079@gmail.com)
2020-03-13 07:42:20

*Thread Reply:* @Thomas B. Thanks, but it says nothing about the personal hotspot, only the main APN

Roo (r.roopali@gmail.com)
2020-03-16 23:16:41

@Roo has joined the channel

dr.ramanansv (dr.ramanansv@gmail.com)
2020-03-21 12:39:27

@dr.ramanansv has joined the channel

Jack Madden (jackalexandermadden@gmail.com)
2020-03-24 19:52:19

Shared iPad for Business is live: https://support.apple.com/guide/mdm/shared-ipad-overview-cad7e2e0cf56/web

Apple Support
👍 Woody, Cedric Lüke, Jay, Thomas B.
Boe (bkelley1982@gmail.com)
2020-03-24 19:58:15

*Thread Reply:* I wonder how long until the big MDM's will support this new feature

Peter Mohr (pm@conscia.com)
2020-03-24 20:20:03

*Thread Reply:* Shouldn't be too long as far as I've heard.... It's very much like EDU Shared ipads. Just minor changes in the admin part

👍 Woody, Jason, Thomas B.
David F (david.fink@gov.bc.ca)
2020-03-24 20:24:37

*Thread Reply:* Business doesn't get the 200gb icloud chunk per user correct?

Peter Mohr (pm@conscia.com)
2020-03-24 20:26:23

*Thread Reply:* correct

David F (david.fink@gov.bc.ca)
2020-03-24 20:30:20

*Thread Reply:* will have to do some testing, we disable a lot of the cloud features via our MDM for data sovereignty concerns.

Roo (r.roopali@gmail.com)
2020-03-26 00:45:20

*Thread Reply:* Is this only for Apple EDU?

Woody (eric.woodland@trust.tc)
2020-03-26 13:22:19

*Thread Reply:* @Roo Not anymore 😉

👍 Roo, Thomas B.
Thomas B. (tbosboom@apple.com)
2020-03-30 19:28:21

*Thread Reply:* Also included temporary sessions, like a guest account for iPad

✅ Woody
Woody (eric.woodland@trust.tc)
2020-03-31 20:38:27

*Thread Reply:* That’s awesome @Thomas B. 🙂

Peter Mohr (pm@conscia.com)
2020-04-02 08:14:41

*Thread Reply:* here is WS1 info on the subject: https://techzone.vmware.com/blog/what-are-shared-ipads-business

VMware
👍 Thomas B.
Andrew Montague (amontague78@gmail.com)
2020-03-26 17:14:39

@Andrew Montague has joined the channel

Timothy Byler (timothy@compassfoundation.io)
2020-03-27 19:30:27

Does anyone know if it is possible to prevent sharing notes from the Notes app through Messages?

Here is the scenario; I am admining a group of iPhones that are not supposed to have Messaging of any kind but they need the Notes app. They have discovered that they can go to Notes and write a note and tap on the Share icon and then they can share the Note via Messages even though we have Messages Blacklisted and are not allowing iMessage. The question is can this behavior be prevented?

Stephen (stephen.stansfield@oa.mo.gov)
2020-03-27 21:16:35

*Thread Reply:* By blacklisting I am guessing you mean you hid the messages app?

Timothy Byler (timothy@compassfoundation.io)
2020-03-27 21:58:37

*Thread Reply:* Yes, I have it in the Backlist in Jamf Pro

Peter Mohr (pm@conscia.com)
2020-03-28 10:01:45

*Thread Reply:* And DLP settings can't stop this? Allow open documents from managed sources in unmanged destinations set to false? I would think this would stop your issue

Timothy Byler (timothy@compassfoundation.io)
2020-03-28 18:00:38

*Thread Reply:* Changing those settings doesn't seem to make any difference it the behavior.😢

Mathieu Beaugrand (beaugrandma@gmail.com)
2020-03-29 23:11:00

*Thread Reply:* Notes won’t be flagged as managed, as it is a system app. I guess the only way would be to promote a thrid party note taking app, and deploy it via MDM to flag it as managed, then the open-in restriction should apply.

Peter Mohr (pm@conscia.com)
2020-03-30 08:12:25

*Thread Reply:* But Mail, Calendar, Contacts and Safari do support manage/unmanaged settings even if they are system apps so perhaps a managed account in Notes will do the same (haven't tested Notes though) - But just because they are system apps doesn't mean that they can't handle managed open-in 🙂

Mathieu Beaugrand (beaugrandma@gmail.com)
2020-03-30 23:00:22

*Thread Reply:* You are right, but they use either managed account or managed domains respectively, so that is why you can apply open-in restrictions to it. No such things in Notes though…

Timothy Byler (timothy@compassfoundation.io)
2020-04-01 18:48:13

*Thread Reply:* Thanks for all the help on this

Kiran Patel (kiran@kiranpatel.net)
2020-03-27 21:54:45

Does anyone here know if the iOS books app allows you to deeplink to PDFs in the app? We must PDF’s to the iOS Books app from our MDM and want to make it easier for users to find them. iBooks:// launches it but want something to launch directly to the PDFs we push

jaimin.s (jaimins@gmail.com)
2020-03-27 22:03:57

*Thread Reply:* Are you pushing PDFs to iBooks? If so you can convert to ePub before pushing then use “itms-books://“ to open up that ePub possibly.

Kiran Patel (kiran@kiranpatel.net)
2020-04-01 02:17:55

*Thread Reply:* Currently yes we are publishing PDFs. If we use “itms-books://“ what would the url of the ePub after be? The file name?

Kiran Patel (kiran@kiranpatel.net)
2020-04-01 02:19:16

*Thread Reply:* iBooks:// also launches the books app but just want to show users the PDFs or ePubs we push down

Alex Durrant (Alex.durrant@hybrit.co.uk)
2020-03-30 16:22:34

@Alex Durrant has joined the channel

Jordan Philip (jordan.philip@mobilesolutions.net)
2020-03-31 15:41:26

Good morning everyone! Does anyone have any information on when (if not already) Modern Authentication will be supported in the Apple Setup Assistant for DEP enrollments?

Jordan Philip (jordan.philip@mobilesolutions.net)
2020-03-31 15:42:08

Currently arguing with a buddy of mine who has it working for MacOS DEP enrollments, stating the same should work for iOS... but I'm not finding anything!

Stephen (stephen.stansfield@oa.mo.gov)
2020-03-31 15:44:19

It is you do have to use the custom enrollment flow with mdm support

Peter Mohr (pm@conscia.com)
2020-03-31 15:45:23

yes, moderne auth works in iOS 13+ and ipadOS 13+ it must be enabled in the DEP profile in your MDM

💯 jafullersr, Woody
Woody (eric.woodland@trust.tc)
2020-03-31 20:54:08

*Thread Reply:* Does SAML/Modern Auth need to be enabled for your MDM appliance as a whole, which is then extended to the Apple DEP facet for enrollment?

Woody (eric.woodland@trust.tc)
2020-03-31 20:58:57

*Thread Reply:* Does not yet appear to be an option inside MI Core 10.6

Woody (eric.woodland@trust.tc)
2020-03-31 21:00:37

*Thread Reply:*

Chesky Herskovic (5634627@gmail.com)
2020-03-31 19:16:54

@Chesky Herskovic has joined the channel

danlux (dan.luchsinger@dignityhealth.org)
2020-04-01 03:12:27

Does anyone know if there is a bulk way to create managed Apple IDs? Use Case: We would like to enable FaceTime on hundreds or thousands of locked down WiFi-only DEP iPads. We do not have Azure AD in our environment. Ideally we don't want to create each account manually.

jaimin.s (jaimins@gmail.com)
2020-04-01 03:27:11

Here's a kludgey automated way

jaimin.s (jaimins@gmail.com)
2020-04-01 03:30:27

1.) Contact Apple to have your anti-fraud clearance reupped (this lasts for thirty day stretches).

2.)Create email accounts via iMacros. Just feed it a list of addresses via text file.

3.) Create iTunes accounts with a "free" account (No credit card attached, purposed for VPP). Use iMacros s here and feed the above created accounts.

4.) Verify iTunes account.

Peter Mohr (pm@conscia.com)
2020-04-01 07:07:47

*Thread Reply:* OR if you have ABM/ASM but no Azure. Just upload a CSV file into the AxM environment and all the accounts gets created.

Jason (jasonh@bridgeway.co.uk)
2020-04-01 10:00:42

*Thread Reply:* ^^ This.

aaron (aaron@groundctl.com)
2020-04-01 10:32:07

*Thread Reply:* Sounds great, but I can’t see where to upload. I’m probably missing something obvious. @Peter Mohr or @Jason can you post more details?

Peter Mohr (pm@conscia.com)
2020-04-01 10:39:00

*Thread Reply:* https://support.apple.com/en-us/HT207029

Apple Support
Peter Mohr (pm@conscia.com)
2020-04-01 10:39:27

*Thread Reply:* Sftp is your friend here

aaron (aaron@groundctl.com)
2020-04-01 10:44:48

*Thread Reply:* Does Apple Business Manager have the same feature?

Peter Mohr (pm@conscia.com)
2020-04-01 10:47:38

*Thread Reply:* Ahh. I might have overlooked that SFTP is not supported by ABM. It only works in ASM 😞 dammit

Jason (jasonh@bridgeway.co.uk)
2020-04-01 11:27:22

*Thread Reply:* Mind you, I would also argue that AAD integration would probably be the default method for most organisations, so this upload wouldn’t be necessary?

Ajay Patel (ajay5675@msn.com)
2020-04-01 11:42:40

*Thread Reply:* @Jason this would only be the case if you are using AAD as your primary iDP and of course your users havent set up Apple ID's with their email address previously.

aaron (aaron@groundctl.com)
2020-04-01 11:44:27

*Thread Reply:* @danlux says he doesn’t have Azure AD. For shits and giggles, I just tried federating groundctl.com to our (mostly unused) AAD test environment, and Apple says there are 45 Apple ID conflicts. Curious, since we had at most 18 employees…

Jason (jasonh@bridgeway.co.uk)
2020-04-01 11:50:27

*Thread Reply:* @Ajay Patel @aaron I was talking about the more general case, sorry for any misunderstanding. I recognise that this won’t always apply, but it probably would be the default approach for most organisations looking at doing this afresh.

aaron (aaron@groundctl.com)
2020-04-01 11:57:28

*Thread Reply:* Yes, especially considering the lack of any alternative.

jafullersr (jafuller@starbucks.com)
2020-04-01 21:58:41

*Thread Reply:* AAD being the only IdP integration is short sighted. Use standards based integrations rather than product specific integrations when it comes to identity (SAML, OAuth, OpenID, etc) would be much more viable for most enterprise customers.

:upvote: AJ, Jason
Roo (r.roopali@gmail.com)
2020-04-02 06:46:48

Any one here an expert on Apple Purchasing program? It may be a silly query but it's confusing me a bit. Are the licensing options different for Mobile devices when compared to Desktop? If I need to roll out MS Teams app would i need an E1 license to get all the features on the mobile app too? Any help to clarify this is appreciated. Thank you all 🙂

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-04-02 07:03:30

*Thread Reply:* im not an MS License expert but O365 E1 should do the trick for teams since the app doesnt need to get licensed with ms (other than office). Just buy it in ABM for free. BUT you will need EMS/Intune licenses for security

👍 Roo
DirkC (dcarey@vmware.com)
2020-04-02 17:11:38

*Thread Reply:* The apps themselves are free and will work in a read-only mode. When the user signs into the application, it will allow the user access to the application depending on the SKU you assigned to the AAD user.

👍 Roo
DirkC (dcarey@vmware.com)
2020-04-02 17:12:26

*Thread Reply:* Might be different for macOS though. Application might refuse to function unless it is licensed.

Roo (r.roopali@gmail.com)
2020-04-02 21:44:50

*Thread Reply:* Thank you @DirkC, that makes sense. However we are currently using ABM with Workspace One.

Peter Mohr (pm@conscia.com)
2020-04-03 11:59:42

Yes! We now have an SSO extension from Microsoft 🙂 https://docs.microsoft.com/en-us/azure/active-directory/develop/apple-sso-plugin

docs.microsoft.com
✔️ Ajay Patel, Rajesh Kumar, Roo, Phil Hackett
🙏:skin_tone_2: Cedric Lüke, Mark Vonk, Ben
:beerparrot: Andrew Montague
Kiran Patel (kiran@kiranpatel.net)
2020-04-03 20:49:04

*Thread Reply:* this is huge - do you know if there's a plst on what the config to the device needs to look like in case we aren't using intune

Peter Mohr (pm@conscia.com)
2020-04-04 08:28:53

*Thread Reply:* For share device or for the SSO extension?

Kiran Patel (kiran@kiranpatel.net)
2020-04-10 14:39:26

*Thread Reply:* SSO extension

Peter Mohr (pm@conscia.com)
2020-04-10 16:57:26

*Thread Reply:* ?? The config options are listed at the top. In the section "Enable the SSO extension with mobile device management (MDM)" https://docs.microsoft.com/en-us/azure/active-directory/develop/apple-sso-plugin#enable-the-sso-extension-with-mobile-device-management-mdm

This is standard iOS 13 SSO Extension config parameters. No plist/app config required

docs.microsoft.com
David F (david.fink@gov.bc.ca)
2020-04-06 18:37:15

does anyone have handy, I think it was WWDC last year, where Apple said we'd need Managed Apple ID's and Device Supervision to manage corp owned devices going forward?

Jason (jasonh@bridgeway.co.uk)
2020-04-07 09:39:29

*Thread Reply:* I don’t recall it being mandatory - just that if you want access to corporate style restrictions, the only way will be if the device is supervised, hence ABM/DEP enrolment.

Jason (jasonh@bridgeway.co.uk)
2020-04-07 09:40:05

*Thread Reply:* Apple is revoking the restrictions/controls over BYOD to protect user’s privacy

Jason (jasonh@bridgeway.co.uk)
2020-04-07 09:40:33

*Thread Reply:* As for Managed AppleIDs, I have not seen any mention of these being mandatory for anyone?

Jason (jasonh@bridgeway.co.uk)
2020-04-07 09:41:42

*Thread Reply:* The WWDC video you’ll be looking for is session 303: https://developer.apple.com/videos/play/wwdc2019/303/

Apple Developer
👍 Thomas B.
David F (david.fink@gov.bc.ca)
2020-04-06 18:37:54

not finding anything specific to managed Apple ID's in here just yet https://developer.apple.com/documentation/devicemanagement/restrictions

Tycho (tycho@schenkeveld.com)
2020-04-06 18:40:04

Oof I'm glad because there's many situations where Managed IDs aren't an option

Tycho (tycho@schenkeveld.com)
2020-04-06 18:40:18

Like in our case where the email address doesn't match the UPN

David F (david.fink@gov.bc.ca)
2020-04-06 18:43:38

and we've been telling users for .... 3 years now to use their work account for their apple ID, conflicts ahoy!!

🤣 Tycho
Tycho (tycho@schenkeveld.com)
2020-04-07 12:44:09

*Thread Reply:* That too.... You have to resolve all the conflicts when you sign up. Great, when you have 160.000 users and there's no API to automate it 😛

😮 David F
David F (david.fink@gov.bc.ca)
2020-04-07 15:02:35

*Thread Reply:* yikes, you've got 10x the users, I can't even...

Paul Troisi (ptroisi@troymobility.com)
2020-04-06 19:50:02

@Paul Troisi has joined the channel

Paul Troisi (ptroisi@troymobility.com)
2020-04-06 19:56:16

Hello iOS group, I would like to pose a question about whether the volume button can be disabled on a Supervised iPad. Use case is an app needs to always be on audio with no ability to lower or silence via the volume button. Cannot find anything in Restrictions using MI Cloud, and trying to figure out what options are available to disable. Love to hear feedback on this. Thanks all!

aaron (aaron@groundctl.com)
2020-04-06 19:57:26

It’s possible if you use single app mode. Otherwise no.

Paul Troisi (ptroisi@troymobility.com)
2020-04-06 20:03:23

Hey Aaron, so I can disable in SA mode only. Interesting because you would need to be in Supervised mode to get there. is that a SA mode feature or a Supervised feature? Hope you are well Aaron.

aaron (aaron@groundctl.com)
2020-04-06 20:12:20

Hi Paul. It’s a feature of Single App mode, but that’s possible only when supervised… so… both? Anyway, here’s the actual documentation. These settings are permitted, but may not be visible in every MDM. https://developer.apple.com/documentation/devicemanagement/applock/app/options

aaron (aaron@groundctl.com)
2020-04-06 20:14:07

The new iMazing Profile Editor includes these options: https://imazing.com/profile-editor

imazing.com
Paul Troisi (ptroisi@troymobility.com)
2020-04-06 20:15:41

Outstanding. I will review. Thanks Aaron

iMZ (mark_zimmermann@me.com)
2020-04-12 18:42:18

*Thread Reply:* Why do we need this editor ?

Woody (eric.woodland@trust.tc)
2020-04-07 14:41:31

Had a senior moment / Noticed iPadOS kept trying to install the WebEx Add-in (for MacOS) whenever I was attempting to join company WebEx sessions. Apparently Safari on iPad OS defaults to requesting desktop versions of sites as of recently. Guess its part of trying to have iPadOS/MacOS unification. https://help.webex.com/en-us/WBX9000031720/I-m-Prompted-to-Install-the-Webex-Add-on-While-Joining-a-Meeting-on-my-iPad

help.webex.com
Johannes Harbs (harbs.johannes@gmail.com)
2020-04-07 14:47:48

*Thread Reply:* Yep, iPad OS identifies as MacOS in Safari. Started right away when iPad OS was introduced.

👍 Woody, Tycho
Woody (eric.woodland@trust.tc)
2020-04-07 14:49:03

*Thread Reply:* Yeah! I do wish they would allow to disable that setting for selective sites, instead of across the board. I’d rather keep it identifying as desktop.. but only stick with “mobile” for WebEx

Mark Vonk (mark.vonk@dahvo.com)
2020-04-07 16:00:22

*Thread Reply:* This actually causes more issues. For example registering the device on MobileIron Cloud. When Safari is set to Desktop, the device will be seen by MI Cloud as a macOS devices rather than an iPadOS device. So be carefull with that desktop mode in Safari

Woody (eric.woodland@trust.tc)
2020-04-07 17:08:13

*Thread Reply:* Yeah / I noticed that while I was enrolling to test Core + Access SaaS last week @Mark Vonk. I wonder if its possible to disable as a Supervised control?

Tycho (tycho@schenkeveld.com)
2020-04-07 17:46:59

*Thread Reply:* Same with Box (dropbox alternative). It prompts to install the compliance validation tool for Mac...

Tycho (tycho@schenkeveld.com)
2020-04-07 17:47:49

*Thread Reply:* Though I have to say, if programs are using the User-Agent header they are doing it wrong... It's nothing but a kludge.

👍 Woody
Tycho (tycho@schenkeveld.com)
2020-04-07 17:48:38

*Thread Reply:* At least the browser makers are understanding that now too.. https://www.zdnet.com/article/google-to-phase-out-user-agent-strings-in-chrome/

ZDNet
👍 Woody
Kiran Patel (kiran@kiranpatel.net)
2020-04-10 14:40:11

*Thread Reply:* Most vendors fixed this before iOS 13 went GA. Can’t believe Webex hasn’t yet

👍 Woody
Kiran Patel (kiran@kiranpatel.net)
2020-04-10 14:40:56

*Thread Reply:* Def a huge mess with user agent strings and will be interesting to see how Google’s move shifts things

Woody (eric.woodland@trust.tc)
2020-04-13 14:12:58

*Thread Reply:* @Kiran Patel curious what vendors that addressed it used to identify the device as still being an iPad. Or if they went with the Client Hints framework?

Rajesh Kumar (rajes20@gmail.com)
2020-04-07 17:55:55

Is anyone updated your apple devices to the iOS v13.4 ..any major issues?? As I can see issues with sound and banner notifications not functioning correctly after the update.

Almar Diehl (almar.diehl@blaud.com)
2020-04-07 19:14:02

*Thread Reply:* Have an issue with full screen webclips in 13.4. It takes 10 to 15 seconds to open the webpage. Disabling the full screen option 'solves' the issue.

iMZ (mark_zimmermann@me.com)
2020-04-09 12:51:37

*Thread Reply:* I have an issue with the AirPods for outgoing phone calls

Rajesh Kumar (rajes20@gmail.com)
2020-04-10 11:00:17

*Thread Reply:* Apple has released 13.4.1

Kiran Patel (kiran@kiranpatel.net)
2020-04-10 14:42:01

*Thread Reply:* We’ve seen that if Safari is set to private mode that our webclips for our enterprise App Store that uses CBA doesn’t work with no real error that helps an end user

sbe (sbe@itsibelem.com)
2020-04-13 08:15:32

@sbe has joined the channel

iMZ (mark_zimmermann@me.com)
2020-04-13 18:54:18

Has someone an example pac file for APNS Access over proxy under iOS 13.4 ?

Ajay Patel (ajay5675@msn.com)
2020-04-14 09:03:48

*Thread Reply:* Read the section about HTTP Proxy at the bottom of this URL https://support.apple.com/en-gb/HT210060 i assume this is what you refer to?

Apple Support
Thomas B. (tbosboom@apple.com)
2020-04-15 08:38:55

*Thread Reply:* Have you checked the test plan for Proxy PAC APNS on AppleSeed for It?

Asier Puente (asier.puente@versia.com)
2020-04-14 11:08:26

@Asier Puente has joined the channel

David F (david.fink@gov.bc.ca)
2020-04-14 19:43:51

I don't have a ton of info at this point. and a single user so far. wifi only ipad refuses to join corporate AP • device has been wiped • multiple physical location attempted • multiple user accounts attempted • there is supposed to be a cert prompt that doesn't happen • date/time/timezone all check out is this an ios 13.4 quirk?

aaron (aaron@groundctl.com)
2020-04-14 20:06:36

The device is enrolled in MDM? Perhaps the MDM is pushing a WiFi profile, perhaps with a bad password, to the device?

David F (david.fink@gov.bc.ca)
2020-04-14 23:17:49

*Thread Reply:* enrolled in my corporate workspace one tenancy, we don't do a wifi profile

David F (david.fink@gov.bc.ca)
2020-04-14 23:18:32

*Thread Reply:* networks insists they see it authenticating successfully.

aaron (aaron@groundctl.com)
2020-04-15 00:56:02

*Thread Reply:* Maybe this: https://support.apple.com/en-us/HT210176

Apple Support
iMZ (mark_zimmermann@me.com)
2020-04-20 15:14:18

Who knows wich MDM actual support the temporary session for Shared iPad feature ?

aaron (aaron@groundctl.com)
2020-04-20 15:37:15

*Thread Reply:* The only thing for MDM to support is to disable the guest login. Do you mean that?

iMZ (mark_zimmermann@me.com)
2020-04-20 15:38:04

*Thread Reply:* Ok, but why didn’t i see the shared user option on my iPad (supervised, DEP, 13.4) ?

aaron (aaron@groundctl.com)
2020-04-20 15:43:55

*Thread Reply:* Ah, you threw me off with the question about temporary… The shared features are a DIFFERENT supervision option.

aaron (aaron@groundctl.com)
2020-04-20 15:44:22

*Thread Reply:* And that option is visible only if you enable EDUCATION features. (This is AirWatch-specific, not sure about other MDMs.

iMZ (mark_zimmermann@me.com)
2020-04-20 19:24:40

*Thread Reply:* Ok, hmm , i enrolled my iPad with DEP via Apple Configurator :(

Stephen (stephen.stansfield@oa.mo.gov)
2020-04-20 21:11:47

*Thread Reply:* Airwatch has not added support for Business use for shared iPads yet, they say it is coming in a new console coming in a few weeks https://blogs.vmware.com/euc/2020/03/what-are-shared-ipads-for-business.html

VMware End-User Computing Blog
Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-04-21 08:29:46

*Thread Reply:* MobileIron will add it in near future too

Kim Ljungberg (kim.ljungberg@oracle.com)
2020-04-22 21:15:19

@Kim Ljungberg has joined the channel

Roo (r.roopali@gmail.com)
2020-04-23 06:04:10

Hey all, is there any way to add emergency contacts as a webclip on iOS? Any one tried this? I am hoping to be able to apply the contact itself as a dialer

mathijs (mathijs.de.ruiter@fondo.nl)
2020-04-23 08:11:25

*Thread Reply:* Hi. You should be able to add a webclip with a <tel://|tel://> link.

😁 Roo
Roo (r.roopali@gmail.com)
2020-04-23 09:22:36

*Thread Reply:* @mathijs Thanks for that

Roo (r.roopali@gmail.com)
2020-04-23 10:04:31

*Thread Reply:* Tried this out, seems like Safari blocks this out after I cancel the call three times. Then I have to accept thrice to allow it. Not a very reliable idea I guess. Now just looking for a way to permanently disable this block. 🙂

Cedric Lüke (mail@cedric.cc)
2020-04-23 10:23:48

I'm sure you've seen this security issue in the iOS mail app that was published yesterday: https://blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/ Is anyone taking action based on this?

ZecOps Blog
Alo Press (alo.press@outlook.com)
2020-04-23 12:49:42

*Thread Reply:* Yes, this looks pretty bad, but since there is no patch available its a big decision for organisations. Most likely Apple will release a patch for this within few days, then it doesn’t seem reasonable to start migrating users from Native app to Outlook/Gmail.

Options from Exchange ActiveSync:

  1. Block all iOS versions under 13.4.5
  2. Disable EAS until there is a patch
  3. Disable and Wipe Data I am currently not aware if there are any proactive blocking or detection capabilities within Exchange or typical IPS software.

There is speculation about iVerify app being potentially able to detect this attack.

👍 Woody
Alo Press (alo.press@outlook.com)
2020-04-23 12:52:30

*Thread Reply:* Mitigation actions that I am aware of are: • Update to latest beta 13.4.5 using Apple Beta Software Program • Disable auto sync- Go to Settings > Password & Accounts. Set Fetch New Data to “Manual” and disable “Push”. • Use Safari or dedicated E-Mail clients such as GMail and Outlook

👍 Woody
Woody (eric.woodland@trust.tc)
2020-04-23 16:45:37

*Thread Reply:* Agree with you @Alo Press, no point in rushing to migrate people to a brand new app as they’ll address and patch in a very short window

Woody (eric.woodland@trust.tc)
2020-04-23 16:54:05

*Thread Reply:* Also curious to know if any of the email content that can trigger the vulnerability made it past SPAM/Junk filters of any of the major Email players.

Philip Harrison (CWSI) (pharrison@cwsi.ie)
2020-04-23 19:55:46

*Thread Reply:* Question is given the severity of the apparent severity of the vulnerability, will Apple release patches for iOS10/11/12 or are all iPhones prior to the 6S now a huge liability?

Woody (eric.woodland@trust.tc)
2020-04-23 20:33:08

*Thread Reply:* I’d guess they would touch them all, but to be safe I’m forcing out devices that don’t support 11, 12 or 13

Mikey2000 (mscottscranton079@gmail.com)
2020-04-24 05:41:38

*Thread Reply:* @Alo Press great input 👍 Switching to manual sync and disable push - that would only avoid automated actions but if the user will use the mail client we are back to square one, right? I am not sure what actions we should really take - like you guys mentioned migration to another app is a pain - specially for us. We us KCD with MobileIron so Outlook is out of the game. Email+ and Notifications is a pain if no VIP notifications are configured.

👍 Woody, Adrian Patrascu
Cedric Lüke (mail@cedric.cc)
2020-04-24 08:01:10

*Thread Reply:* Thanks for the great input. Given the (hopefully) near release of 13.4.5, our main action right now is to prepare end-user communication to get the devices updated as soon as possible

👍 Woody
Woody (eric.woodland@trust.tc)
2020-04-24 14:43:04

*Thread Reply:* We just had an internal huddle on this as well. Wanting to refrain from a knee-jerk reaction, especially with so many of our workforce being remote during this time, Would rather continue as-is and use Supervision to push the patch, knowing Apple has a fix in the pipeline.

Woody (eric.woodland@trust.tc)
2020-04-24 14:43:42

*Thread Reply:* Fun part is that I’m dealing with “Google Nation” over in our shop, so they take shots at iOS every chance they get

Mikey2000 (mscottscranton079@gmail.com)
2020-04-24 18:59:12

*Thread Reply:* Same here Woody!

😆 Woody
Boe (bkelley1982@gmail.com)
2020-04-24 20:20:35

*Thread Reply:* Maybe I'm reading this wrong but based on Apples response to me it sounds like it's coming as a patch to iOS 13 rather than an Apple Mail app patch. So if I'm understanding that correctly the only way to be secure will be to go to that latest OS release or use a third party mail client. https://www.theverge.com/2020/4/24/21234163/apple-ios-ipados-mail-app-security-flaw-statement-no-evidence-exploit

The Verge
Derek H (derekharkin@gmail.com)
2020-04-26 23:55:38

*Thread Reply:* iOS Mail app only ever gets updates in an OS update that I have sern

Woody (eric.woodland@trust.tc)
2020-05-22 16:04:59

*Thread Reply:* Was anyone able to find evidence of this in the iOS/iPadOS 13.5 release notes yesterday?

Boe (bkelley1982@gmail.com)
2020-06-03 15:57:12

*Thread Reply:* Hey @Woody did you ever come across anything saying it was actually patched. I see 13.5.1 is out but I still haven't been able to find anything confirming its fixed

Woody (eric.woodland@trust.tc)
2020-06-03 16:14:11

*Thread Reply:* Yes @Boe.. one moment

Woody (eric.woodland@trust.tc)
2020-06-03 16:16:15

*Thread Reply:* https://support.apple.com/de-de/HT211168

Apple Support
Boe (bkelley1982@gmail.com)
2020-06-03 16:55:00

*Thread Reply:* awesome thank you for the link

Woody (eric.woodland@trust.tc)
2020-06-03 17:45:21

*Thread Reply:* @Boe you’re most welcome!

Damian (support@expertmobilite.com)
2020-04-24 10:32:26

Hi folks, I have to deploy a web clip on coronavirus alerts to our iOS devices. The problem I have is that they open with Safari by default. The link is hosted on O365 and as we can’t secure Safari we block login.microsoftonline.com and instead use the Microsoft Edge browser which is secured via Intune MAM. Any way around this? Thanks

Peter Mohr (pm@conscia.com)
2020-04-24 10:54:19

*Thread Reply:* You could secure Safari :-) or you can Use:

microsoftedgehttp:// or microsoft-edge-https:// in your web clip

Damian (support@expertmobilite.com)
2020-04-24 11:08:40

*Thread Reply:* Thanks! Could you expand on “secure” ? 😊

Peter Mohr (pm@conscia.com)
2020-04-24 12:12:48

*Thread Reply:* Sure. You can limit what Safari can be used for with a few different tools:

  1. Deploy “Safari Domains” - this tells Safari where corporate data is found and where personal data is found. For each site/tab it will then be treated as corp or personal data
  2. Deploy DLP restrictions to your device. You can limit how data flows in/out of the two containers/areas or your iOS devices. You can block CORP->Private but allow Private->CORP or vice versa og both or… You get the picture.
  3. To take this even further you can impose a white- or black-liost of URLs in Safari. Then Safari itself will stop users from accessing blocked sites. You can also enable Apples “auto-block” functionality and let Apple decide what is good and bad for your users.
  4. Finally you can also deploy some sort of MTD (Cisco Security Connector, Carbon Black - now from VMware, zimperium - integrated with MobileIron or even Microsoft ATP - in preview) to get on-device protection from outside threats.
Peter Mohr (pm@conscia.com)
2020-04-24 12:12:51

*Thread Reply:* 1-3 is build into iOS.. 4 is an additional agent of some sort

Damian (support@expertmobilite.com)
2020-04-24 12:46:40

*Thread Reply:* Yeah we studied Safari domains at the beginning of our project and there were some issues there. Can’t remember off the top of my head but we do currently use it for internal sites just not for O365. We also have DLP deployed but in testing this didnt apply to Safari and we for example we’re still able to download attachments from login.microsoftonline.com not sure if there are certain restrictions we missed there but it was all tested in conjunction with VMWare professional services.

Damian (support@expertmobilite.com)
2020-04-24 12:48:17

*Thread Reply:* Regarding the edge scheme that didn’t work - it just opens in Safari with this part even though I added the url after it: Microsoft-edge-https and nothing else. Can you add an example of this with the full url in case I’ve missed something ?

Peter Mohr (pm@conscia.com)
2020-04-24 12:49:37

*Thread Reply:* yeah, you can’t block download of attachments in Safari per domain, that must be done server side, BUT with Safari and DLP you can control WHERE those attachments end 🙂

Peter Mohr (pm@conscia.com)
2020-04-24 12:50:45

*Thread Reply:* Use this: Microsoft-edge-https://my.fqdn.com/vdir/

my.fqdn.com
Peter Mohr (pm@conscia.com)
2020-04-24 12:51:27

*Thread Reply:* you must remove the normal http:// and https://

Damian (support@expertmobilite.com)
2020-04-24 12:52:02

*Thread Reply:* I did, will have a look after my lunch 😊

Peter Mohr (pm@conscia.com)
2020-04-24 13:03:26

*Thread Reply:* ok. I just tested again. works for me 🙂

Damian (support@expertmobilite.com)
2020-04-24 13:04:05

*Thread Reply:* Probably white space 😉 I’ll check in a bit

Damian (support@expertmobilite.com)
2020-04-24 16:15:47

*Thread Reply:* Working fine thanks

Damian (support@expertmobilite.com)
2020-04-24 16:16:49

*Thread Reply:* Just need to work out how to leverage Edge on Android for the same need

Damian (support@expertmobilite.com)
2020-04-24 16:17:30

*Thread Reply:* Created a web app for AFE but wondering how to force it to open Edge

Damian (support@expertmobilite.com)
2020-04-27 21:05:34

*Thread Reply:* @Peter Mohr any idea how to force it to use Edge on AFE - tried both microsoft-edge- and another variation microsoft-edge:

Peter Mohr (pm@conscia.com)
2020-04-27 21:09:25

*Thread Reply:* @Damian should be something links this: microsoft_edge:<https://www.google.com> but haven't tested this just now.....

Damian (support@expertmobilite.com)
2020-04-27 21:10:56

*Thread Reply:* Tried that variation and get “Enter a valid URL”

Damian (support@expertmobilite.com)
2020-04-27 21:11:35

*Thread Reply:* I’ll keep looking, in the meantime adding the guru here @Jason Bayton

Peter Mohr (pm@conscia.com)
2020-04-27 21:12:50

*Thread Reply:* it works on Windows 🙂

Damian (support@expertmobilite.com)
2020-04-27 21:15:15

*Thread Reply:* Yep, not the same as Android though lol

Peter Mohr (pm@conscia.com)
2020-04-27 21:16:47

*Thread Reply:* These guys have gotten it to work too: https://stackoverflow.com/questions/31909274/launching-microsoft-edge-with-url-from-code and https://stackoverflow.com/questions/59846066/url-scheme-to-call-the-microsoft-edge-app

how are you building your links on your device. Using mail or text or MDM or ?

Stack Overflow
Stack Overflow
Damian (support@expertmobilite.com)
2020-04-27 21:23:20

*Thread Reply:* I tried from Chrome within “Work” and it doesn’t work

Jason Bayton (jason@bayton.org)
2020-04-27 21:31:18

*Thread Reply:* Tricky. Webview is based on Chrome and that's how these apps launch, I'm not sure it's possible to swap out the underlying engine like this.

Peter Mohr (pm@conscia.com)
2020-04-27 21:31:41

*Thread Reply:* Isn't it "just" a link?

Peter Mohr (pm@conscia.com)
2020-04-27 21:31:55

*Thread Reply:* does it work on non-AE devices?

Damian (support@expertmobilite.com)
2020-04-27 21:34:22

*Thread Reply:* However...when I opened Edge in work for the first time I get this which allows me to choose Edge as the default browser. I wonder if it’s opening Edge or Chrome inside the web app. I’m going to block Chrome from the O365 url and see what happens

Jason Bayton (jason@bayton.org)
2020-04-27 21:34:57

*Thread Reply:* It's a webview application, the chrome webview engine superceded Android's AOSP webview for GMS devices some years back so even if another browser is default, this still opens in Chrome webview and requires Chrome is on the device.

👍 Damian
Damian (support@expertmobilite.com)
2020-04-27 21:35:01

*Thread Reply:*

Damian (support@expertmobilite.com)
2020-04-27 21:37:34

*Thread Reply:* @Jason Bayton any concerns using Chrome “Work” for access to a single O365 url - our restrictions are pretty tight.

Damian (support@expertmobilite.com)
2020-04-27 21:39:54

*Thread Reply:*

Jason Bayton (jason@bayton.org)
2020-04-27 21:40:27

*Thread Reply:* No, managed config for Chrome will allow you to blacklist everything and whitelist only your chosen domain. The webapp will respect that also

Jason Bayton (jason@bayton.org)
2020-04-27 21:45:29

*Thread Reply:* Domain/URL/wildcard that is. Not just domain

Damian (support@expertmobilite.com)
2020-04-27 21:48:12

*Thread Reply:* Yep we control that already with our device traffic rules. On another note, blocking chrome on that url also renders the web app blocked and so is logical as per your previous comment. Thanks for taking the time to respond - appreciate the insight and have learned something today. Thanks to @Peter Mohr for his efforts 😉

Nick Knight (arpknight@gmail.com)
2020-05-06 06:39:37

*Thread Reply:* Fantastic thread :D

Roo (r.roopali@gmail.com)
2020-04-27 06:51:31

Hey all, has any one created custom profiles for iPhone sound?(ring and message tones) for MDM?

Woody (eric.woodland@trust.tc)
2020-04-27 14:30:15

*Thread Reply:* Following. AFAIK, there is no capability to do this in iOS.

Barbra Conner (iambac777@gmail.com)
2020-04-29 14:10:07

@Barbra Conner has joined the channel

Paul Conaty (pconaty@cwsi.ie)
2020-05-01 13:12:50

Hi guys, anyone aware of issues with DEP Macs going into recovery mode? have a customre reporting about 20 macbooks having this issue in last 2 weeks

Paul Conaty (pconaty@cwsi.ie)
2020-05-06 10:32:48

*Thread Reply:* bump

Cormac OMalley (comalley@cwsi.ie)
2020-05-01 13:17:55

@Cormac OMalley has joined the channel

Lokesh Ojha (lojha@us.ibm.com)
2020-05-05 16:52:04

@Lokesh Ojha has joined the channel

Roo (r.roopali@gmail.com)
2020-05-07 00:55:50

Hi every one, hope you all are doing alright. 🙂 Can any one recommend a third party app for APNS notifications. Certain apps don't work so well when on standby and do not receive notifications so I needed ideas on what third party apps can be used to provide just push notification to these devices? Or does it HAVE to be embedded in teh app SDK alone?

Hiten Shah (1hitenshah@gmail.com)
2020-05-07 00:59:17

@Hiten Shah has joined the channel

ZL (mobilepros@zolik.co.uk)
2020-05-07 13:29:38

@ZL has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2020-05-07 16:35:26

Has anyone payed attention to this vulnerability on iOS devices and what can we do with MI Core?

https://world-today-news.com/another-zero-day-vulnerability-in-ios-apps-can-break-out-of-sandbox/

World Today News
🙈 Raul, Woody, Roo
Raul (rnadal@mobileiron.com)
2020-05-07 16:39:04

*Thread Reply:* Thanks for sharing @Mikey2000

👍 Mikey2000, Woody
Woody (eric.woodland@trust.tc)
2020-05-07 16:59:38

*Thread Reply:* This is due to be addressed in 13.5 (which is in Beta 4). I’d guess they’ll have it releasing as quickly as possible.

Mikey2000 (mscottscranton079@gmail.com)
2020-05-07 17:27:18

*Thread Reply:* Agree.. let’s see if they will release it mid may. Not sure if there is anything you can do right now anyway!

Paul Conaty (pconaty@cwsi.ie)
2020-05-07 17:37:46

*Thread Reply:* really interesting exploit. link is in article @Mikey2000 posted but just in case here is the detail https://siguza.github.io/psychicpaper/

🙏 Mikey2000
Paul Conaty (pconaty@cwsi.ie)
2020-05-07 17:38:41

*Thread Reply:* no evidence apps would get past App Store checks though so risk is probably low for managed corporate devices

👍 Mikey2000, Woody
NicolasR (raison_nicolas@me.com)
2020-05-07 17:53:43

*Thread Reply:* @Mikey2000 MTD would detect this anyway with Elevation of Priviledges threat

👍 Mikey2000, Paul Conaty, Woody
Woody (eric.woodland@trust.tc)
2020-05-22 16:04:15

*Thread Reply:* Was anyone able to find evidence of this being addressed in the 13.5 release notes yesterday?

NicolasR (raison_nicolas@me.com)
2020-05-22 16:04:38

*Thread Reply:* ZeCops confirmed 12.4.7 & 13.5 fixed

NicolasR (raison_nicolas@me.com)
2020-05-22 16:04:52

*Thread Reply:* https://twitter.com/zecops/status/1263516074634440706?s=21

twitter
} ZecOps (https://twitter.com/ZecOps/status/1263516074634440706)
twitter
} ZecOps (https://twitter.com/ZecOps/status/1263359839821914112)
👍 Woody, Mikey2000
Woody (eric.woodland@trust.tc)
2020-05-22 16:05:44

*Thread Reply:* Haha / I bet ZecOps was waiting patiently for that proof

NicolasR (raison_nicolas@me.com)
2020-05-24 22:32:11

*Thread Reply:* https://blog.zecops.com/vulnerabilities/hidden-demons-maildemon-patch-analysis-ios-13-4-5-beta-vs-ios-13-5/

ZecOps Blog
NicolasR (raison_nicolas@me.com)
2020-05-24 22:32:19

*Thread Reply:* Interesting 😉

Mikey2000 (mscottscranton079@gmail.com)
2020-05-27 04:39:05

*Thread Reply:* Since the updates are out now, how do you block versions which are lower than 13.5 and 12.4.7 with one security policy - I guess thats not possible since there is only one dropdown field. Suggestions for MobileIron Core?

-Use two security policies and use filter labels which target the specific versions - if this is possible

-Use the version check in a compliance policy instead the security policy

Raul (rnadal@mobileiron.com)
2020-05-27 09:28:45

*Thread Reply:* I’d create 2 labels using Model and OS as conditions, and apply 2 different security policies, one to each label

👍 NicolasR, Mikey2000
Woody (eric.woodland@trust.tc)
2020-05-12 16:39:38

Has anyone played around with this new DLP feature from Google? https://gsuiteupdates.googleblog.com/2020/04/ios-dxp-data-exfiltration-protection.html

G Suite Updates Blog
Woody (eric.woodland@trust.tc)
2020-05-12 17:10:39

*Thread Reply:* Curious what tech it uses to compliment an existing MDM scenario

Paul Conaty (pconaty@cwsi.ie)
2020-05-13 08:55:35

*Thread Reply:* looks very similar to Intune app protection (MAM) controls

Paul Conaty (pconaty@cwsi.ie)
2020-05-13 08:55:59

*Thread Reply:* It's all within the Google apps so prob not using any native capability

👍 Woody, Adrian Patrascu
Woody (eric.woodland@trust.tc)
2020-05-13 22:18:42

*Thread Reply:* Agree @Paul Conaty. Probably messy to administer alongside iOS native

Caryn (Csnshop@icloud.com)
2020-05-12 17:20:55

@Caryn has joined the channel

Todd Cole (toddcole13@hotmail.com)
2020-05-14 01:05:22

@Todd Cole has joined the channel

Bastian (bastian@i211.de)
2020-05-14 10:06:18

@Bastian has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2020-05-15 18:33:13

We want to push a managed app config for Safari (or other browser) to an iOS device with MobileIron Core, so we can set bookmarks and other settings. Is that possible? Any experiences?

Raul (rnadal@mobileiron.com)
2020-05-15 18:50:14

*Thread Reply:* AFAIK iOS only accepts webclips

Raul (rnadal@mobileiron.com)
2020-05-15 18:50:42

*Thread Reply:* depending on the URL it will open one or other browser

Raul (rnadal@mobileiron.com)
2020-05-15 18:50:53

*Thread Reply:* http;// and https:// always opens Safari

Raul (rnadal@mobileiron.com)
2020-05-15 18:51:01

*Thread Reply:* chrome:// opens chrome

Raul (rnadal@mobileiron.com)
2020-05-15 18:51:03

*Thread Reply:* and so on

Mikey2000 (mscottscranton079@gmail.com)
2020-05-15 18:51:51

*Thread Reply:* Great input - thank you 👍✌️

Raul (rnadal@mobileiron.com)
2020-05-15 18:52:52

*Thread Reply:* 🍻

🍺 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-05-15 20:59:56

*Thread Reply:* Can I run a webclip in Single App Mode?

Mark Vonk (mark.vonk@dahvo.com)
2020-05-16 15:40:23

*Thread Reply:* If you are on Mobileriron, you can use their Web@Work browser. That one does allow for bookmarks configured from Core

Mikey2000 (mscottscranton079@gmail.com)
2020-05-16 19:21:50

*Thread Reply:* Right Mark, thanks. Sorry I forgot to mention I am looking for a browser which I can run in single app mode (one website) and maybe SSO - and W@W is not supported in Single App Mode (at least that is what the MI support told us)..

Woody (eric.woodland@trust.tc)
2020-05-19 00:20:44

Fun one: Backed-up kids iPads to iCloud (iPad Mini) and restored to new iPad Air units. Everything went swimmingly, except the fact that it did not restore the proper screen-time lock code. Anyone else encountered this?

Woody (eric.woodland@trust.tc)
2020-05-19 02:26:51

Alright, figured this one out. Moved from Devices running iOS 12 to 13. Didn't realize the iCloud Family Sharing dictates the Screen Time lock code across the Child's account #SeniorMoment

😂 Boe
😮 Jay
Ajay Patel (ajay5675@msn.com)
2020-05-19 13:02:28

what's everyone's thoughts on disabling the activation lock if a device is enrolled into ABM? Personally i cannot see the need to have the activation lock as the DEP enrolment process would stop anyone in their tracks if a device was stolen (as long as its not removed from the ABM portal).

aaron (aaron@groundctl.com)
2020-05-19 13:26:12

*Thread Reply:* Activation lock requires the prior user’s Apple ID name and password when a device is set up. It locks that device to the user. But every DEP device is owned by a company, not an individual user. Why give users power over the company like that?

I agree. Turn it off always.

👍 Peter Mohr, Ajay Patel, Mark Vonk
Ajay Patel (ajay5675@msn.com)
2020-05-19 13:27:36

*Thread Reply:* @aaron agreed, yet i still see SOO many customers with this option enabled and i couldnt think of any genuine reason as to why

aaron (aaron@groundctl.com)
2020-05-19 13:33:17

*Thread Reply:* Bad feature design compounded by poor UX? Call it “Apple ID password lock-out” and nobody will enable it. Even better, never show this in any MDM. Supervision already disables activation lock — this feature defeats supervision and forces activation lock on.

👍 Mark Vonk
Sharkey (lukesharkey@gmail.com)
2020-05-19 14:18:07

*Thread Reply:* I’m in agreement. I’ve racked my brain for use cases for this and can’t seem to come up with any viable reasons 🤷‍♂️

brob (brian.robinson@gartner.com)
2020-05-19 15:20:48

*Thread Reply:* We have a use case where people trade in their DEP device at an Apple Store to get $ for a personal device. Apple will accept the trade in unless AL is enabled. MDMs can enable AL but our MDM (WS1) doesnt support this yet. I realize this may not be super prevalent but it has happened multiple times

brob (brian.robinson@gartner.com)
2020-05-19 15:31:57

*Thread Reply:* My Apple SE suggested we enable AL with our MDM to help prevent people stealing/re-selling. VMware said theyre working on implementing this MDM feature. I didnt realize its in beta until i looked up the command: https://developer.apple.com/documentation/devicemanagement/activation_lock_a_device

Ajay Patel (ajay5675@msn.com)
2020-05-19 16:12:33

*Thread Reply:* i never noticed this feature isnt available in WS1!! It's available in most MDM's already if im not mistaken?

brob (brian.robinson@gartner.com)
2020-05-19 16:17:33

*Thread Reply:* I thought the same. I know other MDMs have it. Whats confusing is based on the link above its still in Apple beta but maybe it has some new changes in beta. WS1 can allow/disallow AL but they arent able to set it. When I opened a VMware case they said theyre working on supporting it though.

Sharkey (lukesharkey@gmail.com)
2020-05-19 16:23:09

*Thread Reply:* Having it in DEP and assigned would prevent use after theft as well.

Sharkey (lukesharkey@gmail.com)
2020-05-19 16:24:27

*Thread Reply:* I’ve also used DEP to catch thieves.

Sharkey (lukesharkey@gmail.com)
2020-05-19 16:24:43

*Thread Reply:* KME as well for that matter

Peter Mohr (pm@conscia.com)
2020-05-19 21:19:21

*Thread Reply:* In WS1 we're using this. Isn't this exactly what we're looking at?? It's been there "forever"

Sharkey (lukesharkey@gmail.com)
2020-05-19 21:32:13

*Thread Reply:* I think we saying is that it makes it able to use it doesn’t actually activate it

Sharkey (lukesharkey@gmail.com)
2020-05-19 21:33:26

*Thread Reply:* Although if you enable that and then are allowed to use find my iPhone on the iPhone wouldn’t that actually just turn on activation lock?

Sharkey (lukesharkey@gmail.com)
2020-05-19 21:33:51

*Thread Reply:* I’ve never actually tried because I’ve never actually enable that setting

brob (brian.robinson@gartner.com)
2020-05-19 21:34:11

*Thread Reply:* Hey @Peter Mohr that setting is to allow/disallow the user to enable AL. WS1 doesnt support enabling AL via MDM during DEP enrollment

brob (brian.robinson@gartner.com)
2020-05-19 21:36:04

*Thread Reply:* looks like SimpleMDM supports MDM enabling AL and their description of it is, well simple. https://docs.simplemdm.com/article/124-activation-lock

docs.simplemdm.com
Sharkey (lukesharkey@gmail.com)
2020-05-19 21:36:13

*Thread Reply:* I mean technically there is no actual setting on the iPhone that turns on activation lock, activation lock simply gets turned on via find my iPhone. Turning that setting off just tells iOS that activation lock is not allowed so it doesn’t turn it on.

Peter Mohr (pm@conscia.com)
2020-05-19 21:36:30

*Thread Reply:* @brob true, WS1 doesn't enable AL. But with this setting I can allow the user to enable AL (or not). User can always use "Find my"... just without the AL...

Peter Mohr (pm@conscia.com)
2020-05-19 21:36:49

*Thread Reply:* How would WS1 turn on AL. To which AppleID?

Sharkey (lukesharkey@gmail.com)
2020-05-19 21:37:19

*Thread Reply:* Simple MDM is saying that you need an Apple ID and password set on the device in order to use it. That means you have to sign in iCloud which means you turn on find my iPhone that you cannot just turn on activation lock on its own

Peter Mohr (pm@conscia.com)
2020-05-19 21:37:46

*Thread Reply:* Ahh. got it: If activation lock was enabled by SimpleMDM at the time of device enrollment, the Apple ID of the administrator that generated the Automated Enrollment (DEP) server token within Apple Business Manager may be entered.

brob (brian.robinson@gartner.com)
2020-05-19 21:38:10

*Thread Reply:* We were having a lot of employees trade in DEP iOS devices at Apple Stores. I reached out to my Apple SE to see what we could do and he said we should use our MDM to enable AL so the Apple Stores wont accept the trade ins anymore. VMware said theyre working on supporting it

brob (brian.robinson@gartner.com)
2020-05-19 21:38:22

*Thread Reply:* yes exactly

Peter Mohr (pm@conscia.com)
2020-05-19 21:39:18

*Thread Reply:* Weird that Apple doesn't just check to see if the device is DEP enabled and then don't offer trade in

brob (brian.robinson@gartner.com)
2020-05-19 21:39:35

*Thread Reply:* no kidding, i was surprised that they dont

brob (brian.robinson@gartner.com)
2020-05-19 21:40:04

*Thread Reply:* i havent heard of anyone trading in a mac but i dont see why they couldnt

Peter Mohr (pm@conscia.com)
2020-05-19 21:40:16

*Thread Reply:* I guess that is what this is for then:

brob (brian.robinson@gartner.com)
2020-05-19 21:41:09

*Thread Reply:* ah nice, what cn is that. i just checked cn135 and i see where i can enable it…

brob (brian.robinson@gartner.com)
2020-05-19 21:41:39
brob (brian.robinson@gartner.com)
2020-05-19 21:42:58

*Thread Reply:* heres a better one

Peter Mohr (pm@conscia.com)
2020-05-19 21:43:58

*Thread Reply:* Mine was CN1108 (20.04.04)

Stephen (stephen.stansfield@oa.mo.gov)
2020-05-19 21:44:29

*Thread Reply:* You are trying to solve an hr problem with a policy that will make other issues, a better tack may be the fact your employees have a fraud problem saying the device is theirs

brob (brian.robinson@gartner.com)
2020-05-19 21:44:32

*Thread Reply:* ah, cn135 is on of the dev cns and its on 20.6

Sharkey (lukesharkey@gmail.com)
2020-05-19 21:44:44

*Thread Reply:* So you need managed Apple IDs I imagine.

brob (brian.robinson@gartner.com)
2020-05-19 21:45:00

*Thread Reply:* totally agree Stephen

Sharkey (lukesharkey@gmail.com)
2020-05-19 21:46:02

*Thread Reply:* I’m still at a loss why apple Stores would take a device that comes up with remote management 🤷‍♂️

Peter Mohr (pm@conscia.com)
2020-05-19 21:46:18

*Thread Reply:* I don't think you need MAIDs. Just the admin/DEP token MAID

Peter Mohr (pm@conscia.com)
2020-05-19 21:46:30

*Thread Reply:* Agree @Sharkey

Stephen (stephen.stansfield@oa.mo.gov)
2020-05-19 21:46:55

*Thread Reply:* I wonder if that is policy or a badly trained store

brob (brian.robinson@gartner.com)
2020-05-19 21:47:18

*Thread Reply:* i agree with everyone 🙂 i dont see the harm in forcing AL although id have to test it

Sharkey (lukesharkey@gmail.com)
2020-05-19 21:47:29

*Thread Reply:* Retail isn’t the best at following policy

brob (brian.robinson@gartner.com)
2020-05-19 21:47:33

*Thread Reply:* i checked and none of the stores check for DEP

Stephen (stephen.stansfield@oa.mo.gov)
2020-05-19 21:47:40

*Thread Reply:* The harm is when devices get wiped they get asked for the password

brob (brian.robinson@gartner.com)
2020-05-19 21:47:41

*Thread Reply:* only AL

Stephen (stephen.stansfield@oa.mo.gov)
2020-05-19 21:48:12

*Thread Reply:* Also moving devices between users becomes a real mess

Sharkey (lukesharkey@gmail.com)
2020-05-19 21:48:15

*Thread Reply:* And then Apple has the power to remove it from DEP. that’s just maddening.

brob (brian.robinson@gartner.com)
2020-05-19 21:48:33

*Thread Reply:* yeah true, not sure about how to handle that. i guess we could get the bypass code but thats a help desk call at least

brob (brian.robinson@gartner.com)
2020-05-19 21:48:59

*Thread Reply:* agree, whats worse is we have no indication when apple or carrier/resellers remove devices from DEP

Stephen (stephen.stansfield@oa.mo.gov)
2020-05-19 21:48:59

*Thread Reply:* adding tons of complexity and failures (those codes do not always work) without much reward

Sharkey (lukesharkey@gmail.com)
2020-05-19 21:49:19

*Thread Reply:* Yeah. Bypass can be obtained from the console. Provided you don’t delete the record, even after unenrolling.

Stephen (stephen.stansfield@oa.mo.gov)
2020-05-19 21:49:52

*Thread Reply:* The real thing to address is why your workers are stealing phones in mass

Sharkey (lukesharkey@gmail.com)
2020-05-19 21:49:55

*Thread Reply:* Interesting chat fellas. Gets some ideas in my head :)

brob (brian.robinson@gartner.com)
2020-05-19 21:50:02

*Thread Reply:* good point Stephen. i’ll bring this up to my manager. Apple recommended it as a way to prevent stealing so trying to follow through with investigating/testing

brob (brian.robinson@gartner.com)
2020-05-19 21:50:38

*Thread Reply:* right I agree, people are stealing and HR needs to take action regardless of what IT can do

Stephen (stephen.stansfield@oa.mo.gov)
2020-05-19 21:51:00

*Thread Reply:* It is worth noting I come from a protect the data is key, not really caring about the devices value mindset

👍 Sharkey, brob
Sharkey (lukesharkey@gmail.com)
2020-05-19 21:51:59

*Thread Reply:* Yep, the devices are cheap in my shop. .99 cents cheap.

Stephen (stephen.stansfield@oa.mo.gov)
2020-05-19 21:52:36

*Thread Reply:* in all but rare ones yep, they can buy the expensive ones but almost no one does

Sharkey (lukesharkey@gmail.com)
2020-05-19 21:53:16

*Thread Reply:* And if you don’t have it when you leave or need an upgrade. We make you pay the replacement cost which is full value.

Stephen (stephen.stansfield@oa.mo.gov)
2020-05-22 16:53:45

Apple still has not released security patch notes for 13.5 which is way longer than usual for no security notes

aaron (aaron@groundctl.com)
2020-05-23 00:22:40

FYI An excellent discussion of ways to distribute internal apps: https://mobilxperts.slack.com/archives/C1V75UE76/p1590150374343500

} Damian McMahon (https://mobilxperts.slack.com/team/U73U07BFH)
👍:skin_tone_3: mathijs, Damian, Adrian Patrascu
Mikey2000 (mscottscranton079@gmail.com)
2020-05-27 08:25:37

Force iOS Updates via MobileIron Core without WiFi - devices receive the message that update is only possible with a wifi connection. Is there a way to update without wifi?

Raul (rnadal@mobileiron.com)
2020-05-27 08:26:21

I don’t think that Apple allow this

Peter Mohr (pm@conscia.com)
2020-05-27 08:59:06

You can update without wifi. It depends on your carrier (-settings). Apple negotiates this for each carrier and puts the limits into the settings of each device. How to check??

iOS OTA updates They are not limited by Apple, they may be limited by carrier bundles. To find out if this is the case, here is how you can find out if your carrier is limited:

  1. Fetch: https://itunes.apple.com/WebObjects/MZStore.woa/wa/com.apple.jingle.appserver.client.MZITunesClientCheck/version/
  2. Search for your carrier definition (try to find the newest one):
  3. for example TDC Denmark:
  4. https://updates.cdn-apple.com/2019/carrierbundles/041-69583-20190611-A1CF6148-8871-11E9-A0E7-6000395CF54D/TDC_dk_iPhone.ipcc
  5. in Terminal:
  6. curl --get https://updates.cdn-apple.com/2019/carrierbundles/041-69583-20190611-A1CF6148-8871-11E9-A0E7-6000395CF54D/TDC_dk_iPhone.ipcc --output TDCdkiPhone.zip
  7. Uncompress the .zip file and get a file ending in .bundle
  8. in Finder: “show package contents”
  9. Find carrier.plist and open with a text editor (BBEdit for example, or a plist editor). Voilá
👍 Woody
Damian (support@expertmobilite.com)
2020-05-29 10:09:19

Sharing here too! https://mobilxperts.slack.com/archives/C1V75UE76/p1590743160456300

} Damian McMahon (https://mobilxperts.slack.com/team/U73U07BFH)
🎉 NicolasR, Woody, Adrian Patrascu
NicolasR (raison_nicolas@me.com)
2020-05-29 12:33:26

*Thread Reply:* At last!

😂 Damian, Woody
Damian (support@expertmobilite.com)
2020-05-29 15:09:16

*Thread Reply:* Do you remember the thread I created around this a while back about managed apps being offloaded? Crazy...😆

Woody (eric.woodland@trust.tc)
2020-05-29 16:19:16

*Thread Reply:* So is Apple going to include a MDM control to prevent managed apps from being offloaded?

Damian (support@expertmobilite.com)
2020-05-29 18:55:58

*Thread Reply:* That’s the idea however unsure as to how they are going to achieve that exactly!

NicolasR (raison_nicolas@me.com)
2020-05-29 18:56:46

*Thread Reply:* I bet my balls that they will include the control only for Supervised devices...!!!

👍 Tycho, Adrian Patrascu
Damian (support@expertmobilite.com)
2020-05-29 18:59:39

*Thread Reply:* I already told them that this doesn’t concern supervised devices in our case so it’s a “global” change.

NicolasR (raison_nicolas@me.com)
2020-05-29 19:00:12

*Thread Reply:* Hope they will listen to you 🤞

Damian (support@expertmobilite.com)
2020-05-29 19:00:13

*Thread Reply:* I also just checked my supervised test device and I don’t see an option there to offload unused apps

Damian (support@expertmobilite.com)
2020-05-29 19:00:51

*Thread Reply:* Unless that is controlled by some obscure setting in the restrictions profile

Kiran Patel (kiran@kiranpatel.net)
2020-06-03 01:27:52

*Thread Reply:* I def recall hearing that if it was a managed app it wouldn't get offloaded. Crazy this is still an issue. Did this recently regress in an iOS 13 release?

Damian (support@expertmobilite.com)
2020-06-03 21:04:51

*Thread Reply:* It’s been like this forever...the fact that one of our VIP users got wiped due to the compliance policy based on hub being removed was the last straw...

Damian (support@expertmobilite.com)
2020-06-23 10:38:02

*Thread Reply:* Just got confirmation from Apple that this is fixed in iOS 14 beta which was released last night! Need to test ASAP

:the_horns: Woody
Matt N (matthewnoyes2@gmail.com)
2020-05-29 14:38:19

@Matt N has joined the channel

Ricardo Bouwkamp (ricardo@cloudyday.nl)
2020-06-03 10:43:54

@Ricardo Bouwkamp has joined the channel

Joe McDonald (joemcdonald@vmware.com)
2020-06-04 14:38:06

@Joe McDonald has joined the channel

👍 Thomas B.
Jay Robinson (Jay.Robinson@sas.com)
2020-06-05 14:43:54

@Jay Robinson has joined the channel

iMZ (mark_zimmermann@me.com)
2020-06-06 11:12:30

Which MDM rules do you use to detect, prevent or hinder jailbreaks of your devices early on?

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-06-08 07:43:41

*Thread Reply:* Detect via MDM or MTD. Prevent stop unknown developers, unknown sources, ADB (simply stop sideload and debug). Early action via local actions of MobileIron, so no roudtrip over servers are needed. Since the most containers depending on device encryption/security (face/finger unlock, real time notifications, weaker implenentations like Microsoft) wipe on jailbreak is done regardless of container or not.

Thomas B. (tbosboom@apple.com)
2020-06-12 16:24:03

*Thread Reply:* I would add prevent installation of config profiles by users and - depending on your threat model - also block USB/Lightning data access.

iMZ (mark_zimmermann@me.com)
2020-06-06 11:12:57

Does anyone of you have an overview of containers like Boxer and/or a recommendation when to (not) use them ?

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-06-08 07:47:52

*Thread Reply:* if you need the extra security or have usecases native cant do, use containers. If you want native things like callid in car on iOS simply work and be GDPR conform, native is better. in the end most implementations are mixed.

👍 Thomas B.
Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-06-08 07:51:58

*Thread Reply:* The containers are tied to mdm, so its not really useful to only look at them

brandobot (brwong@linkedin.com)
2020-06-18 21:54:50

@brandobot has joined the channel

Ankit (ansaxena@linkedin.com)
2020-06-22 13:29:48

@Ankit has joined the channel

K. K. (kkhanna@tuev-nord.de)
2020-06-23 12:55:40

@K. K. has joined the channel

Peter Lehotai (peter.lehotai@gmail.com)
2020-06-23 12:58:46

@Peter Lehotai has joined the channel

Woody (eric.woodland@trust.tc)
2020-06-30 16:56:42

By chance… Does anyone happen to have stock footage of a DEP device enrolling with custom enrollment and Okta as the IdP for enrollment into the MDM?

Govi (byodmdm@gmail.com)
2020-07-04 02:46:47

Enquiring to know more about this Certification - GIAC Mobile Device Security Analyst (GMOB), anyone already completed and has more information? Possible to share tips and tricks ?

Magnus (mtrouw@apple.com)
2020-07-10 09:55:22

@Magnus has joined the channel

Glenn Schultz (gschultz@preshomes.org)
2020-07-14 15:57:43

@Glenn Schultz has joined the channel

YAS (esteem143@gmail.com)
2020-07-14 16:22:58

@YAS has joined the channel

faycal osseni (faycal.osseni@gmail.com)
2020-07-17 08:03:02

@faycal osseni has joined the channel

Vlastimil Turzík (vturzik@system4u.com)
2020-07-21 09:56:26

@Vlastimil Turzík has joined the channel

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-08-04 13:06:54

https://9to5mac.com/2020/08/01/new-unpatchable-exploit-allegedly-found-on-apples-secure-enclave-chip-heres-what-it-could-mean/

9to5Mac
🤦 Boe, Mark Vonk, Raul
Boe (bkelley1982@gmail.com)
2020-08-05 14:39:09

Does anyone have any recommendations on how to easily clear up cached/temp files on a managed iPad? Is it possible to do this remotely thru an EMM or is their an app everyone recommends that can be deployed and used by a tech on site for this purpose?

Stephen (stephen.stansfield@oa.mo.gov)
2020-08-05 14:42:22

*Thread Reply:* What problem are you trying to solve that needs those to go away since that is not a thing for iPads there is no clear cache or temp files button

Boe (bkelley1982@gmail.com)
2020-08-05 14:43:40

*Thread Reply:* User has some how maxed out the storage on the device (all 25gb) so its either an app cache or browser cache. I'm still waiting for a tech to get hands on with the device to get more specifics but trying to figure out options ahead of time.

Boe (bkelley1982@gmail.com)
2020-08-05 14:44:58

*Thread Reply:* Also since the device is out of storage its preventing it from taking OS updates as well.

Stephen (stephen.stansfield@oa.mo.gov)
2020-08-05 14:53:40

*Thread Reply:* clear cache is not an iOS option, also it is usually pictures browser cache is better behaved than that

Boe (bkelley1982@gmail.com)
2020-08-05 14:55:49

*Thread Reply:* Ya this looks to be a specific app that was causing it. Removing and re pushing the app down fixed it for now.

Timothy D (mrtimothyduong+mobilxperts@gmail.com)
2020-08-06 03:19:07

Going through some Apple DEP this morning and the Passcode screen is requesting for a Strong Passcode with 6 or more characters and 4 Special Characters. Where is this setting enabled? I can’t see it from an MDM DEP Profile (Intune) perspective… Is this new? The solution for now would be to skip the passcode screen. (Re-posting in the right channel)

NicolasR (raison_nicolas@me.com)
2020-08-06 11:23:31

*Thread Reply:* You should post in the #microsoft_endpointmanager channel

👍 Timothy D, Tycho
Kalyan (vkalyan@mobileiron.com)
2020-08-11 16:33:33

@Kalyan has joined the channel

Jeff Mosher (jmosher@ca.ibm.com)
2020-08-13 18:58:27

DEP question! Anyone elses devices getting stuck at "awaiting Final configuration from xyz org" and not proceeding? All was working fine earlier this week, no changes to the mdm profile and using Endpoint manager.

Ray Domingue (raydomingue@gmail.com)
2020-08-14 19:25:28

*Thread Reply:* Not me. Working fine for us.

Rajesh Kumar (rajes20@gmail.com)
2020-08-15 16:47:18

*Thread Reply:* Spmetime we have seen. Try resting again and see. And don't push so many apps in auto mode ....

iMZ (mark_zimmermann@me.com)
2020-08-15 12:00:21

Did I see that correctly that SCIM has now gone live for ABM and has left the beta ?

R. Dela Cruz (raydel@cdw.com)
2020-08-18 15:16:41

@R. Dela Cruz has joined the channel

JF Rigot (jr@mob.co)
2020-08-20 14:12:47

Hi All I am trying to change the default search engine of Edge browser deployed on iOS from my Intune MDM (default is Bing and I don't want it). Any suggestion?

Ray Domingue (raydomingue@gmail.com)
2020-08-20 17:21:17

*Thread Reply:* Yes, you can do this in the app config policies

Mark Vonk (mark.vonk@dahvo.com)
2020-08-20 19:58:55

*Thread Reply:* I do not think that option is available. See: https://docs.microsoft.com/en-us/mem/intune/apps/manage-microsoft-edge#utilize-app-configuration-to-manage-the-browsing-experience

docs.microsoft.com
Mark Vonk (mark.vonk@dahvo.com)
2020-08-20 19:59:10

*Thread Reply:* I do not see it listed in the app config either

Todd Cole (toddcole13@hotmail.com)
2020-08-20 17:16:56

Does the edge browser support any kind of app configuration changes?

Ray Domingue (raydomingue@gmail.com)
2020-08-20 17:18:50

*Thread Reply:* App protection policies or App configuration policies? Yes to both

Todd Cole (toddcole13@hotmail.com)
2020-08-20 17:21:06

*Thread Reply:* So if edge browser support app config from the mdm then you should see if there is a key value pair for default search engine in edge. (I assume you are talking about changing the setting in edge browser away from bing to something else like DuckDuckGo?)

Mark Vonk (mark.vonk@dahvo.com)
2020-08-20 19:59:41
Todd Cole (toddcole13@hotmail.com)
2020-08-20 21:58:32

*Thread Reply:* Time to open a ticket with MS. It is kinda up to them to make that option available.

Suresh Gopi Kolluri (kollurisureshgopi73@gmail.com)
2020-08-22 17:11:01

@Suresh Gopi Kolluri has joined the channel

Peter Giesa (peter.giesa@valtti.com)
2020-08-27 14:21:21

@Peter Giesa has joined the channel

Ville Raassina (ville.raassina@advania.com)
2020-08-27 14:21:49

@Ville Raassina has joined the channel

Brian Irish (brian.m.irish@christianacare.org)
2020-08-28 19:57:58

Hey all, we have a large group of people that use their iPhone's to hotspot when working in the field. We are seeing an uptick in calls regarding people not being able to connect to their hotspot. Currently in the middle of writing a troubleshooting document and one of the steps I was going to include was to reset the network settings. What I noticed is when you perform a reset on the network settings it also resets the device name back to iPhone. This is a huge problem for us. We use MobileIron to manage our devices with filtered labels and in order for the filtered label to work properly the device name needs to be set properly or else the device won't get picked up properly. Currently we have device name changes restricted so the user wouldn't be able to do this themselves.

Has a network reset always had this behavior of renaming the phone when performed?

Todd Cole (toddcole13@hotmail.com)
2020-08-28 22:22:02

Why are you resetting the network? That should be rarely needed. (I can’t remember the last time I have needed that and I use hundreds of devices annually and weekly I have 3-5 different devices on my hotspot alone.) Do you know the reason the hotspots are failing?

Brian Irish (brian.m.irish@christianacare.org)
2020-08-31 20:39:57

*Thread Reply:* We are attempting to reset the network settings as a troubleshooting step. This isn't impacting many of our phones but enough for them to start asking for help. We are still trying to determine why their laptops are having problems connecting to their iPhone's hotspot but the connection simply fails. Issue doesn't seem to be specific to a certain model iPhones and iOS versions vary between iOS 12 and 13.

Todd Cole (toddcole13@hotmail.com)
2020-09-08 22:32:35

*Thread Reply:* Carrier?

Ajay Patel (ajay5675@msn.com)
2020-09-04 10:53:38

anyone here any good with in house iOS apps and provisioning profiles. (i am in no way an app developer). Have a customer who's profiles are due to expire and the certificate is due to expire also, when they have selected a new certificate in their developer portal and upload the new profile into their MDM they get an error saying the certificates do not match. is there a specific way they should be renewing their certificate without having to re-wrap their app and re-deploy it from scratch?

Peter Mohr (pm@conscia.com)
2020-09-04 13:08:52

*Thread Reply:* Provisioning Profiles can be renew'ed on-to-fly. Certificates always requires a new app deployment. One of the many reasons why Apple actively tries to switch to Custom Apps.... Look at https://developer.apple.com/videos/play/wwdc2020/10667/

Apple Developer
Ajay Patel (ajay5675@msn.com)
2020-09-04 16:10:18

*Thread Reply:* thanks @Peter Mohr thought that was the case! I did try to push the csutomer down this route but they are yet to leverage ABM and still quite old school in their deployments

Steven (steven@pro.incogni.ch)
2020-09-08 08:20:21

Is anyone having issues with AC2 and adding devices to ABM/DEP ? I'm struggling with 2 Mac (Catalina + Big Sur) and 2 ABM accounts from 2 different organizations.

Steven (steven@pro.incogni.ch)
2020-09-08 14:20:01

*Thread Reply:* Found the issue :)

Raul (rnadal@mobileiron.com)
2020-09-08 15:19:23

*Thread Reply:* sharing is loving

Steven (steven@pro.incogni.ch)
2020-09-08 15:35:42

*Thread Reply:* I was getting the error : "MCCloudConfigErrorDomain – 0x80EF (33007) The cloud configuration server is unavailable or busy" on AC2 while trying to add devices to ABM. All my troubleshoot was made with 2 devices, and I finally found that those 2 devices were the issue : 1 was already tied to an ABM tenant (I didn't know about), and 1 was unassigned but not released from another ABM tenant (I thought it was released previously). TLDR; You get this error when you try to add a device that is already assigned or unassigned to a MDM in an ABM tenant.

💯 Timothy Byler
Raul (rnadal@mobileiron.com)
2020-09-08 16:10:33

*Thread Reply:* Good to know,

Raul (rnadal@mobileiron.com)
2020-09-08 16:10:37

*Thread Reply:* thanks for sharing

👍 Steven
Jeremy (jeremy@bodokh.com)
2020-09-11 09:09:45

https://9to5mac.com/2020/09/11/ios-14-iphone-google-chrome-default-browser/

9to5Mac
💯 Matt Dermody, Mikey2000, Woody
Woody (eric.woodland@trust.tc)
2020-09-16 21:54:06

*Thread Reply:* Wonder if they'll incorporate a config to set that remotely via MDM

Jeremy (jeremy@bodokh.com)
2020-09-11 09:10:02

That’s available with the latest public chrome version

👍 Damian
Damian (support@expertmobilite.com)
2020-09-11 12:19:41

*Thread Reply:* Nice, I see Firefox and Edge are late to the game!

Stephen (stephen.stansfield@oa.mo.gov)
2020-09-11 14:08:41

*Thread Reply:* More like abiding by the rules you are not supposed to support features in beta versions till release per Apple rules

Jeremy (jeremy@bodokh.com)
2020-09-11 16:34:38

*Thread Reply:* I believe it’s only a profile entitlement so it’s not really a new API, that’s probably why it was published.

iMZ (mark_zimmermann@me.com)
2020-09-13 12:57:42

*Thread Reply:* Some email clients available too ?

Steven (steven@pro.incogni.ch)
2020-09-16 11:14:38

*Thread Reply:* Not yet for Outlook

👎 Ray Domingue
Jeremy (jeremy@bodokh.com)
2020-09-16 13:49:23

*Thread Reply:* @Damian now working with Edge

👍 Damian
Werner von der Ohe (werner.vdohe@gmail.com)
2020-09-16 11:54:33

@Werner von der Ohe has joined the channel

Damian (support@expertmobilite.com)
2020-09-18 14:20:32

Apple has gone ahead and done the unthinkable regarding MAC address randomisation! Even if the MAC address was changed to private after an upgrade to iOS 14 it should have kept the physical MAC address as per our tests and confirmation by Apple during the entire beta cycle right up to beta 8 and that we had absolutely nothing to do on the MDM side. However they changed the behaviour from beta 8 to GA so the damn MAC address is no longer the physical one...now all our users have to uncheck this to get access to our corporate Wi-Fi. Things like this really piss me off...

Sharkey (lukesharkey@gmail.com)
2020-09-18 14:21:51

*Thread Reply:* Apple broke all my DEP tokens Tuesday when they flubbed the license agreement.

Sharkey (lukesharkey@gmail.com)
2020-09-18 14:22:02

*Thread Reply:* That was fun.

Damian (support@expertmobilite.com)
2020-09-18 14:23:03

*Thread Reply:* What do you mean by broke? I just accepted the agreement on the ABM - do I need to check something here??? 😧

Sharkey (lukesharkey@gmail.com)
2020-09-18 14:23:49

*Thread Reply:* Most of My tokens were revoked

Sharkey (lukesharkey@gmail.com)
2020-09-18 14:24:23

*Thread Reply:* They were supposed to have the agreement out Tuesday and instead they brok the portal all morning. In that process my tokens were revoked.

Stephen (stephen.stansfield@oa.mo.gov)
2020-09-18 14:24:54

*Thread Reply:* How does it show revoked on the console? (checking mine now)

Sharkey (lukesharkey@gmail.com)
2020-09-18 14:25:07

*Thread Reply:* Under DEP settings

Sharkey (lukesharkey@gmail.com)
2020-09-18 14:25:21

*Thread Reply:* Or if you manually sync from lifecycle

Stephen (stephen.stansfield@oa.mo.gov)
2020-09-18 14:25:49

*Thread Reply:* I can only look in DEP for some of them does it say there?

Sharkey (lukesharkey@gmail.com)
2020-09-18 14:26:12

*Thread Reply:* Yeah. It would say above in red

Sharkey (lukesharkey@gmail.com)
2020-09-18 14:26:21

*Thread Reply:* And your new devices would not be syncing

Stephen (stephen.stansfield@oa.mo.gov)
2020-09-18 14:29:37

*Thread Reply:* I do dep for groups who manage their own mdm so wanted to check in DEP (yes it is all the same organization don't ask) not seeing revoked and seeing new sync dates in ABM so I should be good right?

Damian (support@expertmobilite.com)
2020-09-18 14:31:15

*Thread Reply:* I just synced devices on WS1 UEM - no error

Sharkey (lukesharkey@gmail.com)
2020-09-18 14:34:27

*Thread Reply:* They are making changes in ABM and ASM too without mentioning it. Some UI stuff etc. Typical Apple.

Stephen (stephen.stansfield@oa.mo.gov)
2020-09-18 15:07:56

*Thread Reply:* I want my field to mass upload serial numbers or spreadsheets back it is not good for trying to process getting rid of lots of devices, also the UI for adding a device by order number got way way worse

👍 Sharkey
Boe (bkelley1982@gmail.com)
2020-09-18 15:19:02

*Thread Reply:* Ah @Sharkey so your saying I shouldn't panic that my ABM looks jacked this morning

Sharkey (lukesharkey@gmail.com)
2020-09-18 15:24:56

*Thread Reply:* Yeah. They are changing it all up. Scary

Boe (bkelley1982@gmail.com)
2020-09-18 15:29:00

*Thread Reply:* Okay good lol I just linked it to our Intune environment and went to move a device over to start testing and was like WTF did I do lol

Sharkey (lukesharkey@gmail.com)
2020-09-18 15:34:22

*Thread Reply:* Seems you can paste bulk serial numbers into the small field

Sharkey (lukesharkey@gmail.com)
2020-09-18 15:36:55

*Thread Reply:* Also can search by IMEI as well

Boe (bkelley1982@gmail.com)
2020-09-18 15:42:50

*Thread Reply:* Ya I searched for the S/N of my test device so I could move it from WS1 to Intune. Hopefully they fix ABM before others in my company notice and call me freaking out lol

Stephen (stephen.stansfield@oa.mo.gov)
2020-09-18 15:44:16

*Thread Reply:* How do you get the IMEI search? I did not see a field or get results in the main search window

Sharkey (lukesharkey@gmail.com)
2020-09-18 15:44:55

*Thread Reply:* Download all you devices via csv

Sharkey (lukesharkey@gmail.com)
2020-09-18 15:45:00

*Thread Reply:* IMEI is in there

Stephen (stephen.stansfield@oa.mo.gov)
2020-09-18 15:46:17

*Thread Reply:* seems about right for Apples new UI

Raul (rnadal@mobileiron.com)
2020-09-18 16:17:06

*Thread Reply:* @Damian, there’s a setting within Wi-Fi payload for iOS 14 that allows disabling MAC Address randomization.

Which UEM product do you use?

👍 Woody
Raul (rnadal@mobileiron.com)
2020-09-18 16:18:29

*Thread Reply:*

Raul (rnadal@mobileiron.com)
2020-09-18 16:18:47

*Thread Reply:* Maybe a Feature Request for your vendor?

Damian (support@expertmobilite.com)
2020-09-18 16:19:57

*Thread Reply:* We use Airwatch aka WS1 UEM and we already tested this custom xml which works but it’s a false alarm on our end as we weren’t getting the right info - just panicked users

Raul (rnadal@mobileiron.com)
2020-09-18 16:20:14

*Thread Reply:* OK

Raul (rnadal@mobileiron.com)
2020-09-18 16:20:30

*Thread Reply:* This setting is intended for all those using NACs

Raul (rnadal@mobileiron.com)
2020-09-18 16:20:47

*Thread Reply:* so I was surprised while reading you

Raul (rnadal@mobileiron.com)
2020-09-18 16:21:41

*Thread Reply:* I use a NPS server via CBA/TLS but there mac address is not relevant

👍 Woody
Damian (support@expertmobilite.com)
2020-09-18 16:21:44

*Thread Reply:* So to confirm, the physical address doesn’t change but you will see the private address checked - it was only happening when users uncheck the wifi connection and if they recheck they are given a private address and lose the physical one - this is the behaviour we are seeing now

👍 Woody
Raul (rnadal@mobileiron.com)
2020-09-18 16:23:46

*Thread Reply:* I cannot say. Maybe someone using a NAC can confirm it

brob (brian.robinson@gartner.com)
2020-09-18 18:04:25

*Thread Reply:* fwiw Apple did update the ABM release notes last month: https://support.apple.com/en-us/HT208802

Apple Support
👍 Woody
brob (brian.robinson@gartner.com)
2020-09-18 18:04:35

*Thread Reply:* Apple mentioned this in the AppleSeed events too

👍 Woody
Stephen (stephen.stansfield@oa.mo.gov)
2020-09-18 19:00:57

*Thread Reply:* I would have to disagree with their claim of improved bulk management

🤣 Boe
Sharkey (lukesharkey@gmail.com)
2020-09-18 18:21:50

I’m seeing a bunch of people with crashed iPhones doing the update. Fun times.

Steven (steven@pro.incogni.ch)
2020-09-21 09:13:33

*Thread Reply:* We had some too. Anyone got any other issue with this update ?

Woody (eric.woodland@trust.tc)
2020-09-21 19:43:25

*Thread Reply:* Weird. I had the smoothest/quickest major version upgrade to date. What are the symptoms/issues?

Steven (steven@pro.incogni.ch)
2020-09-22 09:24:50

*Thread Reply:* On our side, it was an issue with DEP devices and not iOS 14. Some had to be wiped after the upgrade since they were locked at the authentication prompt. Renewing DEP token solved the issue. I haven't heard about any other issue during this upgrade, except the one about apps not ready for iOS 14 (but I didn't experience an app not working because of this).

👍 Woody
Stephen (stephen.stansfield@oa.mo.gov)
2020-09-22 19:05:17

*Thread Reply:* Were they getting stuck at an Apple logo or refusing to restore even with iTunes?

Sharkey (lukesharkey@gmail.com)
2020-09-22 19:06:07

*Thread Reply:* Stuck at the Apple logo here

Stephen (stephen.stansfield@oa.mo.gov)
2020-09-22 19:07:49

*Thread Reply:* What have you been doing to get people going? I have had a couple reports out of a couple hundred updates which is high for Apple

Sharkey (lukesharkey@gmail.com)
2020-09-22 19:58:58

*Thread Reply:* They have to use iTunes to update it and it finishes

Sharkey (lukesharkey@gmail.com)
2020-09-22 19:59:37

*Thread Reply:* Toughest part is iTunes is not allowed on our laptops 🤷‍♂️

Damian (support@expertmobilite.com)
2020-09-23 11:06:15

Howdy folks! I’m just wondering how everyone is currently managing BYOD iOS devices from a MAM O365 perspective? Do your security/compliance teams require that your BYOD devices have a passcode enabled and so this requires MDM? From what I’ve understood, Microsoft MAM offers encryption at rest but not in transit when compared against BlackBerry Dynamics for example. I’d be interested in how this is evolving for all of you as our users are complaining that with MDM we can do what we like? We’re also starting tests on end user enrollment -to offer better privacy and less admin controls whilst Apple works with other providers like Microsoft to give us dual mode :)

Mark Vonk (mark.vonk@dahvo.com)
2020-09-23 11:34:21

*Thread Reply:* In the APP policies you can enforce encryption. It uses the device encryption which, on iOS, means the user must have a device password. If you set it up that way, MAM enforces a device password, without having to MDM enroll.

👍 Damian
Damian (support@expertmobilite.com)
2020-09-23 11:50:50

*Thread Reply:* You sure it’s possible to enforce a passcode on the « device » without MDM ? I mean have you tested this and not just read a document 😉

Damian (support@expertmobilite.com)
2020-09-23 11:53:16

*Thread Reply:* Has this always been the case as we setup our infra/policies back in 2017 and were always told we needed to have MDM

Paul Conaty (pconaty@cwsi.ie)
2020-09-23 11:54:03

*Thread Reply:* obviously you can also specify an app password for the O365 apps

Paul Conaty (pconaty@cwsi.ie)
2020-09-23 11:55:24

*Thread Reply:* Google are now removing the ability to set a device passcode in WP or COPE in A11 so it looks like app based or container based auth is the way things will go for anything other than fully managed devices regardless of OS

👍 Damian
Mark Vonk (mark.vonk@dahvo.com)
2020-09-23 11:56:36

*Thread Reply:* It works differently: you require encryption and MAM Intune SDK encryption on iOS depends on device encryption. Device encryption on iOS requires some form of pin or password. This is default iOS behavior.

Check: https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios Quote: “When you enable this setting, the user may be required to set up and use a PIN to access their device. If there's no device PIN and encryption is required, the user is prompted to set a PIN with the message "Your organization has required you to first enable a device PIN to access this app."

This has been the case for a long time already. Dates back to the time APPs supported app data encryption.

docs.microsoft.com
👍 Paul Conaty, Damian
Mark Vonk (mark.vonk@dahvo.com)
2020-09-23 11:58:18

*Thread Reply:* So no need for MDM, This encryption rule on MAM just enforces the user to set a pin or password. Works perfectly for some of my customers.

👍 Damian
Damian (support@expertmobilite.com)
2020-09-23 12:03:12

*Thread Reply:* @Paul Conaty we already force the users to set a PIN on all MS apps with biometrics allowed.

👍 Paul Conaty
Damian (support@expertmobilite.com)
2020-09-23 13:10:58

*Thread Reply:* I’ll throw something else into the mix here. We also deploy some 3rd party apps which don’t have a PIN ability like MS MAM so imagine we deploy without MDM (we use WS1 UEM btw) and the user decides to install one of these apps without first installing a Microsoft app so no device passcode check!

Andrea Parisi (aparisi@imprivata.com)
2020-09-29 15:44:54

@Andrea Parisi has joined the channel

brandobot (brwong@linkedin.com)
2020-10-02 18:25:38

an iOS device running 14.0.1 has an old mail profile deployed by MDM. After removing the Device Management profile, the mail profile still exists. (Account shows up in Settings, but there is no delete button).

I tried erasing/resetting the device and restoring from iCloud, but it also restored the mail profile. (Backup Mail was not selected).

Any idea how to remove this corrupted profile without losing the user’s data/apps?

Boe (bkelley1982@gmail.com)
2020-10-02 19:39:07

*Thread Reply:* Have you tried removing the Apple Mail app and then rebooting and reinstalling it from the App Store?

brandobot (brwong@linkedin.com)
2020-10-02 23:09:41

*Thread Reply:* good suggestion. let me try!

brandobot (brwong@linkedin.com)
2020-10-02 23:25:08

*Thread Reply:* didn’t work 😞. It left all the accounts there, but left it in an “inactive” state

Woody (eric.woodland@trust.tc)
2020-10-02 19:35:59

Interesting @brandobot. So the Exchange config was basically orphaned?

brandobot (brwong@linkedin.com)
2020-10-02 19:37:45

yep.. nothing shows up under Settings >> General >> Device Management or Profiles, but the Mail account is still there and not able to be removed 😞

Woody (eric.woodland@trust.tc)
2020-10-02 20:05:31

I recall something like this happening back in the day. There was a way to forcibly remove it. I think it came in the form of a custom MDM XML/Policy you deployed to go in and fetch/remove said orphaned payload

Sharkey (lukesharkey@gmail.com)
2020-10-02 20:10:04

This happens to me when someone uses the “no limit” option. Basically it stalls and chokes one removing the huge database of mail and never finished the profile removal. iOS still reports it gone to MDM though. Lesson learned: never use no limit.

👍 Woody
Sharkey (lukesharkey@gmail.com)
2020-10-02 20:10:46

I remember using something like imazing to get rid of the profile. But that requires the device in hand.

Mikey2000 (mscottscranton079@gmail.com)
2020-10-05 10:04:48

We have an iOS app from a software developer. The app is not published in the AppStore, but the developer claims that there is a way to deploy private apps via VPP. Not sure how this can be done.

Almar Diehl (almar.diehl@blaud.com)
2020-10-05 10:07:21

Yes, this can be done via Custom Apps. The developer needs to publish the app in the AppStore and add your ABM Customer ID to it to make it only available for your company. The app will then show up in ABM as a custom app and can be added to your VPP.

👍 Yasar, Thomas B.
Almar Diehl (almar.diehl@blaud.com)
2020-10-05 10:08:25

See: https://developer.apple.com/business/custom-apps/

developer.apple.com
Mikey2000 (mscottscranton079@gmail.com)
2020-10-05 10:19:18

Great thank you - I didn’t know that!

Almar Diehl (almar.diehl@blaud.com)
2020-10-05 10:40:13

Apple wants to get rid of Enterprise developer id's. Smaller companies that request a enterprise developer id's do not get one anymore. Custom apps are the future. Advantage: no need to renew profiles every year. Profiles of custom apps are valid for 30 years. Disadvantage: harder to use alpha/beta versions of apps.

Cedric Lüke (mail@cedric.cc)
2020-10-05 10:45:06

Custom Apps will also still go through Apple Review - so hopefully your developer fancies dealing with that (including providing demo accounts for the review team).

aaron (aaron@groundctl.com)
2020-10-05 18:39:33

Beta testing of custom are done through Test Flight. However this process can not be managed by MDM.

Sharkey (lukesharkey@gmail.com)
2020-10-06 15:52:51

Anyone hearing complaints about ios 14.01 and battery life?

Sharkey (lukesharkey@gmail.com)
2020-10-06 15:53:03

or any ways to mitigate it?

Jason (jasonh@bridgeway.co.uk)
2020-10-06 16:32:23

Disable the Covid-19 bluetooth scanning & broadcasting (c.f. Exposure Settings in the Settings app)

😷 Jason, Prip, Raul
Sharkey (lukesharkey@gmail.com)
2020-10-06 16:53:05

yeah, but that came before 14.01

Sharkey (lukesharkey@gmail.com)
2020-10-06 16:53:42

https://micky.com.au/fixing-the-ios-14-battery-drain-problem-will-require-a-factory-reset/

Micky
Stephen (stephen.stansfield@oa.mo.gov)
2020-10-06 17:21:35

I really hope they fix that in an iOS update

👍 Sharkey
Ajay Patel (ajay5675@msn.com)
2020-10-07 11:35:37

13th October - Apple will officially announce their new iPhone line up

👍 DirkC, Ray Domingue, Woody
Ash (ashmax439@gmail.com)
2020-10-09 13:14:20

@Ash has joined the channel

Jeremy (jeremy@bodokh.com)
2020-10-14 11:27:04

Hey, I remember someone here was able to invite people to AppleSeed, is that person still around? Thanks a lot

Peter Mohr (pm@conscia.com)
2020-10-14 11:28:19

*Thread Reply:* no need... Anyone with a managed appleID can log in to AppleSeed now...

Jeremy (jeremy@bodokh.com)
2020-10-14 11:31:28

*Thread Reply:* I did not know that, thanks a lot!

Boe (bkelley1982@gmail.com)
2020-10-15 04:56:11

*Thread Reply:* What is AppleSeed?

Cedric Lüke (mail@cedric.cc)
2020-10-15 08:18:41

*Thread Reply:* AppleSeed provides access to "Enterprise" resources for beta updates, e.g. change logs & test plans with a focus on features used by companies. You can log in with a managed AppleID at appleseed.apple.com

Eric Thiele (eric@ibm.com)
2020-10-14 21:01:11

@Eric Thiele has joined the channel

Matthijs Schut (matthijs.schut@blaud.com)
2020-10-16 08:35:17

@Matthijs Schut has joined the channel

U Sch (urbaan.schoonderwoerd@blaud.com)
2020-10-16 14:16:12

@U Sch has joined the channel

Tommy L (tommy.le@techstep.se)
2020-10-19 09:46:47

@Tommy L has joined the channel

David F (david.fink@gov.bc.ca)
2020-10-22 23:13:39

I did search the channel and I apologize for the very vanilla question. I have a client that is now being forced to MFA their appleID across multiple generic devices. I suspect there is no external authenticator app for iOS that would help in this case?

Sharkey (lukesharkey@gmail.com)
2020-10-22 23:14:50

*Thread Reply:* Hey! No there is no app for Apple ID MFA.

David F (david.fink@gov.bc.ca)
2020-10-22 23:15:18

*Thread Reply:* Sharkey!! Long time no see

David F (david.fink@gov.bc.ca)
2020-10-22 23:15:52

*Thread Reply:* What about some kind of google voip phone app so they can share a number to receive SMS?

Sharkey (lukesharkey@gmail.com)
2020-10-22 23:17:13

*Thread Reply:* I’ve tried in the past to get texts to a similar app from apple and they always failed to send it. They are on to you.

David F (david.fink@gov.bc.ca)
2020-10-22 23:19:25

*Thread Reply:* but we be SMRT

Raul (rnadal@mobileiron.com)
2020-10-23 07:24:37

*Thread Reply:* You can add up to 6 cell numbers to the same AppleID

👍 Sharkey
Raul (rnadal@mobileiron.com)
2020-10-23 07:25:21

*Thread Reply:* that’s how we do to handle more than 5 admins on ABM

Raul (rnadal@mobileiron.com)
2020-10-23 07:25:56

*Thread Reply:* we have added several cell numbers to each admin account. The same limit should apply to regular AppleIDs.

Jeremy (jeremy@bodokh.com)
2020-10-23 09:18:59

*Thread Reply:* Did anyone tried to setup a Twilio number with redirection to other numbers ? Wonder if that would work

David F (david.fink@gov.bc.ca)
2020-10-26 23:25:11

*Thread Reply:* missed this, sorry @Raul.Does it hit all 6 numbers at once or cycle through them?

Raul (rnadal@mobileiron.com)
2020-10-27 06:58:32

*Thread Reply:* When you login to ABM, it will prompt you to choose the cell number on the list.

You can add 6 cells to each admin account ( ABM allows up to 5 admin accounts(

Mikey2000 (mscottscranton079@gmail.com)
2020-10-23 08:38:17

Sorry for the question - I know this topic has been discussed many times before, but I can’t find the old conversation in here.

Backup/Restore process with DEP Enrollments scenario: We use MobileIron Core with iOS. Devices are enrolled, but most of the devices are not supervised. If the user receives a new device, the new device will be enrolled via DEP and the backup from the previous device should be restored via iTunes (or sometimes iCloud) backup. Yes I know, consumer feature..

So - using the restore option during the setup should be fine to keep the device in supervised state or will this cause issues? Or do we need a temporary device for the restore? Could someone outline the correct process for me?

Raul (rnadal@mobileiron.com)
2020-10-23 10:13:13

*Thread Reply:* Hey,

Raul (rnadal@mobileiron.com)
2020-10-23 10:13:18

*Thread Reply:* That’s easy rule

Raul (rnadal@mobileiron.com)
2020-10-23 10:13:48

*Thread Reply:* Backup from unsupervised device restored to Different Supervised device will be OK.

🙏 Mikey2000
Raul (rnadal@mobileiron.com)
2020-10-23 10:14:19

*Thread Reply:* Backup from unsupervised device restored to same device that now is supervised will break Supervised mode

🙏 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-10-23 10:19:14

*Thread Reply:* There was a bug sometime back within iTunes restoring DEP devices. Does it matter if we restore from iCloud or iTunes? But restore only during the setup assistant, and not afterwards right?

Raul (rnadal@mobileiron.com)
2020-10-23 10:20:27

*Thread Reply:* I will let others confirm.

👍 Mikey2000
Julio (julio.vita@hotmail.de)
2020-10-25 04:45:29

*Thread Reply:* Restore only during setup, anything else creates a huge mess.

👍 Mikey2000
Nick (nickdiaz@gmail.com)
2020-10-26 15:04:57

Is there some iOS MDM restriction that would possibly prevent a certificate-authenticated IKEv2 VPN connection?

Todd Cole (toddcole13@hotmail.com)
2020-10-26 15:10:55

You can block the install of config profiles. If you know the Cert there might be optioins but i would need to dig into it a bit

Stephen (stephen.stansfield@oa.mo.gov)
2020-10-26 15:14:16

You can block vpn connections you did not send

👍 Todd Cole, Woody
⬆️ Todd Cole, Woody
Nick (nickdiaz@gmail.com)
2020-10-26 16:38:43

I'm actually just trying to get an IKE working. ASA accepts the connection and authenticates the certificate. Device then drops the connection immediately. It's a fairly constrained COBO configuration, so assuming the ASA is configured properly, I'm wondering why an iOS device might do that. Wondering if I blocked it with some setting somewhere. The certificate is pushed by MDM.

Barbra Conner (iambac777@gmail.com)
2020-10-28 14:53:58

Does anyone use Exchange O365 using Oauth for email etc using the iOS native clients? If so what is the experience with reauthentication? We have mixed results whereby some devices prompt for authentication nearly hourly, some daily, some very randomly.

Ajay Patel (ajay5675@msn.com)
2020-10-29 10:14:54

iOS backup question - does anyone know if its possible to restore a non DEP device to a supervised device using the setup manually option (bluetooth)

Raul (rnadal@mobileiron.com)
2020-10-29 10:39:32

*Thread Reply:* backup from same device when it wasn’t supervised or from a different unsupervised device?

Raul (rnadal@mobileiron.com)
2020-10-29 10:40:02

*Thread Reply:* If you restore a backup from the same device when it wasn’t supervised, you will break supervision

Ajay Patel (ajay5675@msn.com)
2020-10-29 10:40:13

*Thread Reply:* backup from an old device (iphone 7 - non DEP) to a new device (DEP iPhone XR)

Raul (rnadal@mobileiron.com)
2020-10-29 10:46:38

*Thread Reply:* That will not break the supervision

Ajay Patel (ajay5675@msn.com)
2020-10-29 10:51:37

*Thread Reply:* But do you know if it will still work through the manual restore process and not an iCloud backup? I don’t have any devices to test just yet so was wondering if anyone had been through this process

Julio (julio.vita@hotmail.de)
2020-10-30 16:13:08

*Thread Reply:* What do you mean with Bluetooth? The Quick Start feature? If yes, never use that with devices you want to manage, it‘s build for consumer usage.

Nick (nickdiaz@gmail.com)
2020-10-30 12:48:15

Finding that MDM push notifications cannot be sent to an iOS device when an Always-on IKEv2 VPN is active. They work fine if the Always-on checkbox is turned off, and the user toggles on the VPN. All other traffic flows fine. The full 17.0.0.0/8 range is open on the firewall, and ports 5223 and 2195-2197 are open. I see other examples of the problem on the Internet but no solutions. Best I figure it's an Apple bug, and just not many people use an Always-on IKEv2 VPN.

Mark Vonk (mark.vonk@dahvo.com)
2020-10-30 12:53:14

I assume port 443 is allowed from the device to Apple? Because that is the default for APNs now.

Nick (nickdiaz@gmail.com)
2020-10-30 13:46:24

Indeed.

Todd Cole (toddcole13@hotmail.com)
2020-10-30 17:11:29

Nick, AOVPN is a hard tunnel to deal with. You cannot proxy the APNS traffic successfully (This is where I see most breakdowns) also if you are attempting any type of break and inspect you kill the solution. I would suggest reaching out to the business AppleCare line if you have the ability, they may have more insight. also ensure that 5223,443, and 2197 are open (You said they are but just saying it). also ipv6 blocking? just trying to cover the options. also 2195/2196 are no longer used.

Nick (nickdiaz@gmail.com)
2020-10-30 21:53:57

Thanks @Todd Cole. It ended up being the ISP blocking the APNS ports - something you don’t see very often, but understandable in this special circumstance.

👍 YAS
Todd Cole (toddcole13@hotmail.com)
2020-10-30 21:54:24

Glad you found the answer

Yehuda Azulay (yehuda@tmgltd.co.il)
2020-11-04 09:55:56

@Yehuda Azulay has joined the channel

Jay (vita@akut-hr.de)
2020-11-05 12:41:25

@Jay has joined the channel

Jay (vita@akut-hr.de)
2020-11-10 15:39:54

If I release iOS devices from ABM, that shouldn’t have any impact on the devices already in use until the next time they factory reset right?

Almar Diehl (almar.diehl@blaud.com)
2020-11-10 16:03:32

*Thread Reply:* Right!

👍:skin_tone_5: Jay
ZL (mobilepros@zolik.co.uk)
2020-11-18 16:36:42

*Thread Reply:* Correct. Same applies to moving device from one location to another.

👍:skin_tone_5: Jay
Kawarien (ibrahimabbaadam@yahoo.fr)
2020-11-10 18:02:26

@Kawarien has joined the channel

Caryn (Csnshop@icloud.com)
2020-11-10 19:32:12

For anyone who is supporting taking payments on an iOS device: How is compliance being implemented or maintained with the PCI requirement to inspect devices before they are used for tampering or substitution? As part of PCI requirements, client wanted a weekly report to show location tracking of DEP enrolled iPads (cellular) in WS1, which, even with Hub installed and location services on, I have not been successful with. Any ideas?

ZL (mobilepros@zolik.co.uk)
2020-11-18 16:35:10

*Thread Reply:* We have tried scalable payment solution in past and it was awful. But that was years ago. Main problem was that Apple was not interested in helping or discussing how solution could be improved (with one of the biggest retailers in UK) We went with Android and custom in house app for tracing and reporting.

Damian (support@expertmobilite.com)
2020-11-16 10:31:29

Sharing here in case any of you are using Workspace ONE UEM

} Damian McMahon (https://mobilxperts.slack.com/team/U73U07BFH)
👍 ZL, Adrian Patrascu
Adrian Patrascu (adrian.patrascu88@gmail.com)
2020-11-23 09:46:02

*Thread Reply:* This was affecting us big time Damian. Thank you for sharing!

Conal Murphy (conal.murphy@firstsentier.com)
2020-11-18 09:21:40

@Conal Murphy has joined the channel

Eliot Estep (eliot.estep@techstep.se)
2020-11-18 14:36:05

@Eliot Estep has joined the channel

Matt Dillard (dillardma@vmware.com)
2020-11-18 15:49:51

@Matt Dillard has joined the channel

Sami Huhtala (sami.huhtala@valtti.com)
2020-11-24 07:18:22

@Sami Huhtala has joined the channel

jafullersr (jafuller@starbucks.com)
2020-11-24 23:11:09

Have you looked into Federation with AAD for ABM? If so, what are your thoughts? There is a lot to unpack with the settings that Apple takes over for managed Apple IDs and using existing domains.

Ronald Reerds (ronald.reerds@blaud.com)
2020-12-01 20:47:16

*Thread Reply:* We’ve got it running and we like it thusfar.... it does have some downsides even with a small amount of users.

👏 Thomas B.
jafullersr (jafuller@starbucks.com)
2020-12-02 23:27:27

*Thread Reply:* Do you use it with 1:1 deployments? Are you only using it for shared iPad? Curious the use cases you've applied.

Mark Vonk (mark.vonk@dahvo.com)
2020-11-25 17:25:33
Tim (tim.struik@blaud.com)
2020-12-04 14:38:16

Anybody activated just SCIM in ABM yet and synced users 'between' AAD and ABM? After syncen assigned AAD users appear in ABM, but without federeated auth, how can you use these synced users, which now are managed Apple ID's within ABM? Are these users able to authenticate within Apple services with their AAD password as well? Read several articles, but they are all describing about this sync feature, nice but how are these managed Apple ID's usable after syncen....?

Peter Mohr (pm@conscia.com)
2020-12-04 14:40:16

You can’t SCIM requires federation. In fact if you set up SCIM before federation it’s just set on pause until you enable federation

Tim (tim.struik@blaud.com)
2020-12-04 15:36:06

*Thread Reply:* Ah, great makes things clear, was a bit confused by the Apple documentation as it mentions to configure SCIM first and than federeted auth. afterwards. So SCIM is an addition to federated auth, but you can't use it as 'stand alone'?

Peter Mohr (pm@conscia.com)
2020-12-04 15:50:03

*Thread Reply:* Correct.

Peter Mohr (pm@conscia.com)
2020-12-04 15:50:46

*Thread Reply:* SCIM is for updating user info (create, update, delete) and federation is for authentication (and just-in-time creation of users)

Tim (tim.struik@blaud.com)
2020-12-04 16:14:34

*Thread Reply:* The difference was clear, but after reading several blogs I noticed that SCIM and fed auth were described as separated solution and could function separated from each other, at this point I started doubting. Thanks, have a nice weekend!

mobtech (ankit22kkl@gmail.com)
2020-12-07 12:53:16

@mobtech has joined the channel

Bill (slack@meshak.net)
2020-12-09 10:48:52

I've had a couple of users get bit by the Apple ID Account Recovery process, where they have to wait a few weeks to reset their password and can't use their device(s) during that period either. Is there a way to avoid this, such as federation of IDs? It makes IT look bad even though it's out of our control.

Peter Mohr (pm@conscia.com)
2020-12-09 13:05:17

yeah, you have two options.

A) Stop using AppleId for anything in the enterprise. Use VPP Device-based licensing, Use web-enrollment and DEP where possible

B) Migrate to Managed AppleIDs (MAID). With that you can provide, using SCIM and federation, a very nice user experience with admin benefits. MAIDs also provide support for both Shared iPads and User Enrollment but MAIDs can’t purchase apps in Apple App Store, so you still need to provide VPP apps and user might not seen this a 100% replacement of their old personal AppleIDs

and perhaps C) Don’t care. Ask users to call Apple and sort it out.

💯 Raul, Ajay Patel, Woody
👍 Tim
Stefan Linge (stefan.linge@miradore.com)
2020-12-09 14:15:54

@Stefan Linge has joined the channel

Raul (rnadal@mobileiron.com)
2020-12-09 14:21:11

VPP per device is sweet. Users don’t even need an AppleID on device

Raul (rnadal@mobileiron.com)
2020-12-09 14:21:22

If you also have supervised devices, that’s golden

Peter Mohr (pm@conscia.com)
2020-12-09 14:23:25

True, but you don’t require supervised 🙂 Works on device enrolled devices.

Raul (rnadal@mobileiron.com)
2020-12-09 15:41:38

yeah, but users still have to say OK to each app you push from UEM. VPP is good to forget about AppleID, which is a big advantage, but if you want the best UX, you also want Supervised mode

👍 Peter Mohr, Woody
brandobot (brwong@linkedin.com)
2020-12-14 21:09:04

Is there a site where I can find currently supported iOS versions? I’m trying to determine what is considered end of life.

Andrew Montague (amontague78@gmail.com)
2020-12-15 09:35:08

*Thread Reply:* Apple have a list on their site.

iOS 14 - Apple (UK)

• iPhone 11 • iPhone 11 Pro • iPhone 11 Pro Max • iPhone XS • iPhone XS Max • iPhone XR • iPhone X • iPhone 8 • iPhone 8 Plus • iPhone 7 • iPhone 7 Plus • iPhone 6s • iPhone 6s Plus • iPhone SE (1st generation) • iPhone SE (2nd generation) • iPod touch (7th generation) iPadOS 14 - Apple (UK)

• iPad Pro 12.9-inch (4th generation) • iPad Pro 11-inch (2nd generation) • iPad Pro 12.9-inch (3rd generation) • iPad Pro 11-inch (1st generation) • iPad Pro 12.9-inch (2nd generation) • iPad Pro 12.9-inch (1st generation) • iPad Pro 10.5-inch • iPad Pro 9.7-inch • iPad (8th generation) • iPad (7th generation) • iPad (6th generation) • iPad (5th generation) • iPad mini (5th generation) • iPad mini 4 • iPad Air (4th generation) • iPad Air (3rd generation) • iPad Air 2

Apple (United Kingdom)
Apple (United Kingdom)
Andrew Montague (amontague78@gmail.com)
2020-12-15 09:40:06

*Thread Reply:* I use Everyi.com for their Maximum iOS Version for iPhone, iPad and iPod touch article which seems pretty reliable for older devices.

ZL (mobilepros@zolik.co.uk)
2020-12-18 10:12:03

*Thread Reply:* n-1 or n-2 is standard practice

Woody (eric.woodland@trust.tc)
2020-12-15 04:04:39

@brandobot Typically Current-2 is a good stance to take. Even then, the -1 and -2 versions are still only receiving critical patches, not new features/etc

👍 brandobot, Andrew Montague
J Rijpkema (j.rijpkema@zorgbalans.nl)
2020-12-16 08:14:54

@J Rijpkema has joined the channel

Jordan Philip (jordan.philip@mobilesolutions.net)
2020-12-18 19:39:16

So iOS updates can't be downloaded via cellular, which makes sense, but does anyone know if you push an update via MDM if that overrides the restriction? My two cell enabled iPads are completely up to date, else I'd try right now.

Peter Mohr (pm@conscia.com)
2020-12-18 21:26:28

*Thread Reply:* MDM will not override, but you can’t generalize that OTA updates are not working/allowed over cellular. It depends on the carrier. Some carriers restrict the download and some don’t - It’s part of the carrier settings. Even if the carrier allows unlimited OTA updates (we have 1 here in Denmark that allows that; while the others only allow smaller OTAs) there is a short (2-3 weeks?) blocker where an update is only available on Wi-Fi. After this period the OTA settings kick in. (try to set your date to some date in the future and test :))

➕ Thomas B.
Jordan Philip (jordan.philip@mobilesolutions.net)
2020-12-18 22:35:28

*Thread Reply:* @Peter Mohr thanks for the great info!

TheWolfpack (w.bauer83@googlemail.com)
2020-12-21 09:08:27

@TheWolfpack has joined the channel

Florent N. (Florent.NOSARI@econocom.com)
2020-12-28 11:12:04

@Florent N. has joined the channel

Boe (bkelley1982@gmail.com)
2020-12-30 15:10:31

I'm curious has anyone had reports from their users about having issues sending emails with attachments after upgrading to iOS 14.3? I've had 5 tickets alone from end users this week so just curious if this is a trend others are seeing?

Ray Domingue (raydomingue@gmail.com)
2020-12-31 15:51:06

*Thread Reply:* I looked at the apple forums and saw an issue with attaching pictures in Mail since 14.x. Not sure if that's the same issue you're having.

Boe (bkelley1982@gmail.com)
2021-01-05 14:38:52

*Thread Reply:* Thanks for the response Ray about an hour after posting that I got a report from an Android users as well. We are going thru an Exchange upgrade currently and that team is dragging their feet so it appears to be something on their end so will see when they get around to actually fixing it. In the meantime I guess I'll just try and calm down the annoyed users lol

Durrante (me@alexdu.co.uk)
2021-01-05 12:43:34

@Durrante has joined the channel

Ajay Patel (ajay5675@msn.com)
2021-01-05 15:54:00

Does anyone have any experience with using Jamf but also managing other UEM products? For basic Apple management (ABM/DEP/VPP) is there any additional benefits that Jamf brings to the table? It's one that always crops up in large deployments but i've never actually had hands on time with it

Todd Cole (toddcole13@hotmail.com)
2021-01-11 16:42:28

*Thread Reply:* I have used many MDM to manage large and small deployments of Apple devices. Jamf is one of the best MDM’s out there. They are very responsive to new features, they have great automated enforcement, and being “Apple only” lets them focus. They have one of the most complete MDM’s meaning of the “available MDM features” Jamf has implemented most of them. I have used most of the major players (IBM, VMWare, Microsoft, Moysle, Kanji, Meraki, and many others) and Jamf time and again comes out on the top of the list for features and usability.

Ajay Patel (ajay5675@msn.com)
2021-01-11 17:30:28

*Thread Reply:* thanks @Todd Cole - i think im going to spin up a trial and have a bit of a play around with it

Todd Cole (toddcole13@hotmail.com)
2021-01-11 17:35:31

*Thread Reply:* Jamf pro is great but you can get a basic idea with the free JamfNow account

Woody (eric.woodland@trust.tc)
2021-01-06 18:49:54

Catching up on iPadOS and Kiosk Mode--Did it receive any enhancements in iOS 14 that allow for more than a single app to be used?

Woody (eric.woodland@trust.tc)
2021-01-06 18:50:20

*Thread Reply:* I think I know the answer to this, but better to ask than to respond incorrectly 🙂

Woody (eric.woodland@trust.tc)
2021-01-06 18:50:44

*Thread Reply:* Hey @Barbra Conner look--I’m threading! 😆

🤣 Barbra Conner
Woody (eric.woodland@trust.tc)
2021-01-06 18:55:40

*Thread Reply:* My preference is to accomplish this with Home Screen/Dock, and App Whitelist/Blacklist configs. Just wondering if the Kiosk mode was enhanced any more since inception

Peter Mohr (pm@conscia.com)
2021-01-06 18:59:19

*Thread Reply:* You can hide/disable apps (internal & 3rd party). All except the “Settings” app. Inside that you can disable many thing a user could click but not all. Perhaps this it good enough for your use case?

Woody (eric.woodland@trust.tc)
2021-01-06 19:00:34

*Thread Reply:* @Peter Mohr Is what you described attainable using Kiosk or was that via the other configs I mentioned?

Woody (eric.woodland@trust.tc)
2021-01-06 19:01:13

*Thread Reply:* Just trying to determine if there’s any superiority to using Kiosk vs all the individual configs

Peter Mohr (pm@conscia.com)
2021-01-06 19:03:51

*Thread Reply:* Its a restriction policy… We use it all the time on shared devices

Woody (eric.woodland@trust.tc)
2021-01-06 19:06:34

*Thread Reply:* Okay, that’s the angle I’ve been working as well

Woody (eric.woodland@trust.tc)
2021-01-06 19:08:58

*Thread Reply:* So “Multi App Kiosk” but done using misc configs instead of a singular config (Like Single App Kiosk)

Peter Mohr (pm@conscia.com)
2021-01-06 19:10:01

*Thread Reply:* correct

Peter Mohr (pm@conscia.com)
2021-01-06 19:11:23

*Thread Reply:* only real issue is the settings app. Lock as much as you can down with restrictions and hope for the best 🙂 Generally works fine. You can always find fingers that wants to toggle anything… This is not Single App Mode…

👍 Woody
Thomas B. (tbosboom@apple.com)
2021-01-11 20:34:35

*Thread Reply:* Temporary session on Shared iPad might be interesting to consider

👍 Woody
Jon Henson (jonathanwhenson@gmail.com)
2021-01-07 20:49:51

@Jon Henson has joined the channel

Woody (eric.woodland@trust.tc)
2021-01-11 22:07:11

Does anyone know if (as-of iOS 14) there is an MDM control to allow/disallow “Prevent Cross-Site Tracking” in Safari?

Mark Vonk (mark.vonk@dahvo.com)
2021-01-12 14:15:12

*Thread Reply:* Not according to the documentation on configuration profiles

Woody (eric.woodland@trust.tc)
2021-01-12 18:41:27

*Thread Reply:* @Mark Vonk Yeah, that’s what I’m seeing. Apple pretty much prevented it from being touched all around on iOS/iPadOS (unless the user goes in and manually changes it)

iMZ (mark_zimmermann@me.com)
2021-01-12 13:21:57

Am 26.1. Gibt ein drei Tage Seminar (ONLINE) zu iOS 14 (MDM, ABM, ....) https://www.comconsult-akademie.de/ios-im-unternehmen/

ComConsult Akademie - Seminare. Kongresse. Zertifizierungen.
Jordan Philip (jordan.philip@mobilesolutions.net)
2021-01-13 18:12:02

Hello, anyone impacted by the iOS 14.2+ and MDM-deployed app crashing issue? https://github.com/xamarin/xamarin-macios/issues/10086#issuecomment-738237870 We've been dealing with this for a while, and haven't heard really any updates from either Apple or MS, aside from the blame game. Current fix is to stop distributing app from MDM, direct user to public app store to download app, works every time, just hard in dedicated device scenarios where no iCloud account exists and the app stores are blocked.

GitHub
Ray Domingue (raydomingue@gmail.com)
2021-01-25 14:47:59

*Thread Reply:* I know I'm late to the ball on this ... but yes, we're in the same boat. We had to go back to the developer of our app and ask them to fix the issue. The biggest issue for them was the "trampoline" issue. We're hoping that this week they'll release the update that's going to fix this for us. To add, we tried other alternative solutions, nothing worked.

Peter Mohr (pm@conscia.com)
2021-01-13 18:13:06

Lets hope that iOS 14.4 (beta 2) will fix this issue 🙂

Peter Mohr (pm@conscia.com)
2021-01-14 08:43:32

Uhh nice…

👍 Woody, Boe
Boe (bkelley1982@gmail.com)
2021-01-15 18:52:03

*Thread Reply:* anyone got any idea when this will go GA

Ray Domingue (raydomingue@gmail.com)
2021-01-25 14:48:38

*Thread Reply:* Ughhhh.

Peter Mohr (pm@conscia.com)
2021-01-25 14:50:22

*Thread Reply:* Twitter says Tuesday this week 🙂

👍 Boe
Ray Domingue (raydomingue@gmail.com)
2021-01-25 14:50:25

*Thread Reply:* My Apple POC advised that this was a developer issue. We went back to the developer and they advised that they were working on the "trampoline" issue that will fix this issue. The app update is currently in the works and hoping that an app update is coming out this week for this.

Peter Mohr (pm@conscia.com)
2021-01-25 14:50:59

*Thread Reply:* I guess they don’t have to fix “trampolines”. Just update to 14.4 tomorrow

Ray Domingue (raydomingue@gmail.com)
2021-01-25 14:59:31

*Thread Reply:* @Jordan Philip thought you'd like to see this.

Ray Domingue (raydomingue@gmail.com)
2021-01-26 20:32:33

*Thread Reply:* Update ... still no iOS 14.4 for today

Ray Domingue (raydomingue@gmail.com)
2021-01-26 20:32:41

*Thread Reply:* Twitter was wrong

Boe (bkelley1982@gmail.com)
2021-01-26 20:35:08

*Thread Reply:* Damn you Twitter......... 😛

Boe (bkelley1982@gmail.com)
2021-01-27 04:22:28

*Thread Reply:* @Ray Domingue I guess we just had to be patient https://www.theverge.com/2021/1/26/22251149/iphone-update-14-4-fixes-exploited-security-vulnerabilities

The Verge
Jordan Philip (jordan.philip@mobilesolutions.net)
2021-01-14 22:49:23

This is the best news I've read this week. Thanks @Peter Mohr you made my day

👍 Woody
Woody (eric.woodland@trust.tc)
2021-01-15 01:23:47

Okay, so my efforts to find a way to disable Cross-Site Tracking came up empty. This setting is clearly here to stay.

Does anyone have recommendations on best practices for those writing/hosting their own apps?

The best piece of advice I’ve found thus far is to keep the website and the api on the same domain, e.g. https://web.mydomain.com and https://api.mydomain.com.

Jeremy (jeremy@bodokh.com)
2021-01-15 09:22:34

*Thread Reply:* Definitely, i’d say host the website on www and your app on api. You don’t want to use www for both, as it might be two different servers (like a wordpress for the www and something else for the app)

Jeremy (jeremy@bodokh.com)
2021-01-15 09:23:12

*Thread Reply:* Using two different domain mydomain.com and yourdomain.com will end up being a nightmare for user tracking, sessions, seo ...

👍 Woody
Woody (eric.woodland@trust.tc)
2021-01-15 18:26:08

*Thread Reply:* @Jeremy agree on all fronts! Thanks for the response. I know the design of the app isn’t technically in our realm, but I’m trying to provide guidance as best I can

AwAz (azharuddin.ece@gmail.com)
2021-01-23 19:40:50

@AwAz has joined the channel

Boe (bkelley1982@gmail.com)
2021-01-27 04:23:08

https://www.theverge.com/2021/1/26/22251149/iphone-update-14-4-fixes-exploited-security-vulnerabilities

The Verge
Niklas Jenslöv (niklas.jenslov@gmail.com)
2021-01-29 08:26:05

Friends! Ayone with similar experience with managing iOS updates in MDM? https://mobilxperts.slack.com/archives/C1V75UE76/p1611907747036100

} Niklas Jenslöv (https://mobilxperts.slack.com/team/UU0PEPMU2)
Boe (bkelley1982@gmail.com)
2021-01-29 14:45:19

*Thread Reply:* I'm currently using this feature now in WS1 and have been ever since they released the ability to do so. For us at least its been pretty straight forward and typically works with little to no issue. Only time I normally see failures is if the battery is too low, device is low on storage, or they are on cellular and once the device connects back to Wi-Fi it usually corrects its self and completes.

Boe (bkelley1982@gmail.com)
2021-01-29 14:45:22

*Thread Reply:*

Boe (bkelley1982@gmail.com)
2021-01-29 14:46:22

*Thread Reply:* The one issue I have with this setup though is I can't force it to devices that have a lock screen pin enabled. On those I can push it down and have it ready but like you mentioned the user than has to accept the update before it will install. I wish we could both force that and force the download over cellular so I could get these updates rolled out quicker.

Niklas Jenslöv (niklas.jenslov@gmail.com)
2021-01-29 14:46:57

*Thread Reply:* Hi Boe,

Niklas Jenslöv (niklas.jenslov@gmail.com)
2021-01-29 14:47:29

*Thread Reply:* Don´t you ever get the "Unable to install..." error message (see images)

Boe (bkelley1982@gmail.com)
2021-01-29 14:57:43

*Thread Reply:* If users are seeing that it's never been reported to me. Also as you can see I started my roll out of iOS 14.4 on two days ago I first deployed specifically to a small group of iPads that actually needed 14.4 to fix an issue with an app developed on Xamarin platform along with a few other smaller test groups. The mid afternoon yesterday once I was sure it wasn't causing any issues I pulled that deployment and re-deployed using a smart group I created to push this to all available devices corporate devices and as you can see from the screen shot its flying thru them pretty quickly all things considered.

Boe (bkelley1982@gmail.com)
2021-01-29 14:59:41

*Thread Reply:* It's possible the devices that are showing as failed are getting that error but I'm going to assume they are not at this point because when I look up that list they are all cell phones used remotely and that team has been instructed to keep Wi-Fi off when out and about doing their job because other wise it breaks their VPN connection (or so I'm told) so in order to stay connected and avoid multiple logins they stay on cellular all day long but are supposed to connect to Wi-Fi when they get home at night and pull down any pending updates. They clearly don't do that every night or I wouldn't have so much red on that chart 😄

Boe (bkelley1982@gmail.com)
2021-01-29 15:00:36

*Thread Reply:* Also we are a SaaS customer on Version: 20.11.0.7 (2011) not sure if that matters or not but worth sharing since you are running into issues. Maybe someone smarter than me here will chime in with what might be causing your issue.

Raul (rnadal@mobileiron.com)
2021-02-01 07:44:37

Hey There!,

I’ve found that Outlook for iOS is very bad when we talk about contacts.

Basically, customer can copy contacts from Outlook for iOS to iOS Contacts app, but users cannot add new contacts from device or edit them and sync back to Office365/Exchange Online.

Raul (rnadal@mobileiron.com)
2021-02-01 07:44:48

Is that the expected behaviour ?

Peter Mohr (pm@conscia.com)
2021-02-01 07:46:53

The best practice from MS (now) to set up contacts only sync in Native Contacts and then disable sync from outlook to native.

👍 Woody
Raul (rnadal@mobileiron.com)
2021-02-01 07:48:03

Can this be configured remotely or does it requires user interaction?

Raul (rnadal@mobileiron.com)
2021-02-01 07:49:15

On my tests it’s a big mess, important enough to switch from Outlook for iOS to iOS mail or even any other mail client able to handle this properly.

Peter Mohr (pm@conscia.com)
2021-02-01 07:49:24

Use CBA and then this is 100% automated

Peter Mohr (pm@conscia.com)
2021-02-01 07:49:35

🙂

Raul (rnadal@mobileiron.com)
2021-02-01 07:50:11

I only talk about contacts syncing, not authentication.

Raul (rnadal@mobileiron.com)
2021-02-01 07:50:17

From Outlook

Peter Mohr (pm@conscia.com)
2021-02-01 07:50:56

Yes, stop sync from Outlook to Native and then have both Outlook and native contacts sync directly to Exchange. This is best practice now

Almar Diehl (almar.diehl@blaud.com)
2021-02-01 08:15:53

*Thread Reply:* Although this is what MS advices us to do, I believe it is the worst practice since it also requires you to modify your conditional access rules. You will need to allow ActiveSync so be sure to also implement a check if the new ActiveSync profile is installed. If not, it could mean that the user already created an actuvesync profile manually, allowing him to also sync mail and calendar data to the native apps.

Unfortunately this is the only solution that will work for most users.

Peter Mohr (pm@conscia.com)
2021-02-01 08:24:51

*Thread Reply:* Well, you can disable ActiveSync with username password allowing only CBA and you can send down the profile with just contacts and disable the user from enabling email and/or calendar). I think we can greatly improve usability here by following this pratice.

The Outlook => native sync is the worst experience ever. Both in terms of user experience but as importantly security wise.

Almar Diehl (almar.diehl@blaud.com)
2021-02-01 08:27:08

*Thread Reply:* Absolutely agree! Especially since Outlook --> native sync of your contacts uses iCloud and therefore syncs all your business contacts to ALL your i-Devices that use the same iCloud account. Also to devices that are unmanaged.

Travis Reeves (travis.reeves@amedisys.com)
2021-02-04 19:19:29

*Thread Reply:* @Peter Mohr how would switching to CBA and disabling username/password affect other systems using the ActiveSync protocol? For example, right now our old MDM we're retiring uses ActiveSync for email access. Its also been mentioned that our Teams rooms devices might be using the ActiveSync protocol for their scheduling.

Peter Mohr (pm@conscia.com)
2021-02-04 21:04:23

*Thread Reply:* Yeah, you still need ActiveSync protocol.. It comes with auth in three flavours

  1. Basic Auth - Username/password
  2. Basic Auth - Certificate Based Auth
  3. Modern Auth - “web login” You should disable #1 and only use #2 (and perhaps #3)
Ladislav Blazek (ladislav@lblazek.cz)
2021-02-05 12:31:09

*Thread Reply:* It is getting complicated when you configure the new “partner compliance” between 3rd party MDM (like WSO UEM) and AAD (Intune) and enable Conditional Access Policy on AAD side to require compliant devices only. After device enrollment you need to push Exchange payload (with contact only) ASAP to avoid the possibility that user will add account manually… The issue is that user will get authentication prompt for Exchange waaay before MS Authenticator is installed/account added/device registered to AAD. So authentication will fail. CBA will not help in this case as well… To be honest it is nightmare from UX perspective.

Almar Diehl (almar.diehl@blaud.com)
2021-02-05 13:57:31

*Thread Reply:* You can prevent this by creating a compliance policy that checks if the mail configuration that you wish to push to the devices is installed. If not, quarantine the device.

Almar Diehl (almar.diehl@blaud.com)
2021-02-05 13:59:13
Ladislav Blazek (ladislav@lblazek.cz)
2021-02-05 14:00:34

*Thread Reply:* @Almar Diehl device is not managed by Intune but WSO UEM

Almar Diehl (almar.diehl@blaud.com)
2021-02-05 14:01:03

*Thread Reply:* Ah sorry, missed that.

Ladislav Blazek (ladislav@lblazek.cz)
2021-02-05 14:04:26

*Thread Reply:* Basically WSO UEM is just flagging device as compliant/non-compliant in AAD. Only MS Authenticator can register device in AAD and then pass AAD Device ID to match to that device record so all auth traffic must go through MS Authenticator.

Travis Reeves (travis.reeves@amedisys.com)
2021-02-05 14:15:58

*Thread Reply:* @Ladislav Blazek Are you using Outlook as the mail client for WSO UEM devices, or a third party client? In ActiveSync you auto-approve based on agent version on device.

Ladislav Blazek (ladislav@lblazek.cz)
2021-02-05 14:27:32

*Thread Reply:* @Travis Reeves Outlook as the mail client, native iOS app for Contact sync (Exchange profile with just contacts enabled). There is Conditional Access Policy configured on AAD side to allow compliant devices only. So agent filtering on Exchange for EAS will not help. The problem is that MS Authenticator needs to be installed together with SSO Redirect Extension (using MS Authenticator plugin), user need add company account to MS Authenticator and then register device to AAD. All this will take some time… But Exchange profile is applied immediately after enrollment and user is prompted to authenticate. Authentication will fail again and again… until all the previously mentioned steps related to MS Authenticator setup are done.

Ladislav Blazek (ladislav@lblazek.cz)
2021-02-05 14:32:17

*Thread Reply:* So basically my recommendation at the beginning for that customer was avoid Outlook contact sync and use native contacts synced via Exchange profile instead… now trying to figure out how to make that process user friendly during device enrollment, but I don’t see an easy way.

Kiran Patel (kiran@kiranpatel.net)
2021-02-10 02:15:36

*Thread Reply:* We push an EAS Contacts only profile via MDM using CBA for Auth and block all other Auth at the Exchange Online layer. This way native caller ID is there and access is available to managed apps with the iOS restrictions. Outlook iOS is there for email, calendar etc

Peter Mohr (pm@conscia.com)
2021-02-01 07:51:40

https://techcommunity.microsoft.com/t5/intune-customer-success/new-contact-sync-scenario-available-with-outlook-for-ios-on/ba-p/1063632

TECHCOMMUNITY.MICROSOFT.COM
Peter Mohr (pm@conscia.com)
2021-02-01 07:52:39

Remember that the Outlook to native sync moves contacts from managed to unmanaged… This other way keeps contacts managed all the time

👍 Woody, Steven, Ray Domingue
Raul (rnadal@mobileiron.com)
2021-02-01 07:52:59

Ah, OK. Let me check that

Raul (rnadal@mobileiron.com)
2021-02-01 07:53:17

Thanks in advance, buddy

Damian (support@expertmobilite.com)
2021-02-01 08:38:47

Hey guys, quick question on DEP. Can you tell me if switching to supervised mode on iOS COPE devices has an impact on displaying personal apps on the Airwatch console and if so, is there a way to mask that from the admin view. At the moment, we don’t collect any personal data due to the privacy settings but we are looking at improving deployment and support for corp devices via DEP.

Ajay Patel (ajay5675@msn.com)
2021-02-01 08:52:22

*Thread Reply:* you can just amend your privacy settings in the OG that the devices sit in and untick the box as shown in the image to not collect app data

Damian (support@expertmobilite.com)
2021-02-01 08:53:53

*Thread Reply:* Yes I know that - it’s what we currently do with COPE devices. However my question is if the devices are supervised, does that setting take priority or are all apps (not just those which are managed) shown on the console ?

Ajay Patel (ajay5675@msn.com)
2021-02-01 08:58:35

*Thread Reply:* if I remember rightly, I believe this doesn't show any app that is not pushed out via VPP. So if a user download an app from the app store, you will not see it in the list if this box is unticked.

Damian (support@expertmobilite.com)
2021-02-01 15:37:22

*Thread Reply:* I’ll do a series of tests to double check

Raul (rnadal@mobileiron.com)
2021-02-02 16:10:44

*Thread Reply:* Privacy policies have 0 differences on supervised vs unsupervised iOS devices.

Raul (rnadal@mobileiron.com)
2021-02-02 16:11:09

*Thread Reply:* Difference is only on VPP and restrictions (and some payloads like wallpaper or layout folders)

Raul (rnadal@mobileiron.com)
2021-02-02 16:11:48

*Thread Reply:* But you will not see anything else different from what the privacy policy allows/gathers

Raul (rnadal@mobileiron.com)
2021-02-02 16:12:19

*Thread Reply:* It’s just that if you also use VPP, your users will be happy to see seamless app installation

Damian (support@expertmobilite.com)
2021-02-02 17:41:21

*Thread Reply:* Thanks that’s what I thought!

Damian (support@expertmobilite.com)
2021-02-02 17:42:27

So is everyone forcing iOS 14.4 on their users following the 3 critical vulnerabilities? Apple are staying relatively quiet on this and our security teams are all guns blazing🤔

Boe (bkelley1982@gmail.com)
2021-02-02 17:46:28

*Thread Reply:* We are since it was confirmed that one of the exploits had been used in the whiled. Also our deployment of Corp iPads is pretty small compared to a lot of people in here so the risk is pretty minimal to us. We actually needed iOS 14.4 to drop as it fixed an issue with apps built in Xamarin which a few of our vendors use so this actually fixes multiple things for us besides the security patches.

👍 Woody
Phil Hackett (phil.hackett83@gmail.com)
2021-02-02 18:26:25

*Thread Reply:* Our security team wants 60k devices updated to iOS 14.4 within 7 days....they’re living in a fantasy land.

🤣 Boe, Woody
Damian (support@expertmobilite.com)
2021-02-02 18:29:29

*Thread Reply:* I know the feeling! We’ve also been given 7 days for the 7k devices...but our group manages over 100k on other WS1 tenants !

👍 Phil Hackett, Woody
Woody (eric.woodland@trust.tc)
2021-02-02 21:08:43

*Thread Reply:* In the capacity of a MSP.. we’re strongly advising it. When there are 3+ critical vulnerabilities it always gets the Nike “Just Do It” approach

😆 Damian
Boe (bkelley1982@gmail.com)
2021-02-04 14:50:14

*Thread Reply:* This thread just got me curious is there an easy to push out iOS 14.4 to all devices in Intune. I know WS1 made it pretty simple but since we pumped the breaks on Intune as a company at least for now I'm curious if MS put something similar in place.

Woody (eric.woodland@trust.tc)
2021-02-04 18:17:16

*Thread Reply:* @Boe Yeah, they’ve got it in there now (at least as part of “Endpoint Management”

Woody (eric.woodland@trust.tc)
2021-02-04 18:17:20

*Thread Reply:*

👍 Boe
Amine (amine.ayad@gmail.com)
2021-02-03 15:02:16

Is anyone able to access Apps & Books on ABM? It seems down.

Eric Thiele (eric@ibm.com)
2021-02-03 15:04:06

*Thread Reply:*

👍 Amine
Boe (bkelley1982@gmail.com)
2021-02-03 15:07:45

*Thread Reply:* Yup down for me as well must be doing some sort of maintenance again or something

👍 Amine
Jay (vita@akut-hr.de)
2021-02-03 15:15:16

*Thread Reply:* Are you guys using it while connected to VPN? Usually I see that screen when I access ABM with VPN on. Once I turn it off I do have access to the Apps and Books part.

Amine (amine.ayad@gmail.com)
2021-02-03 15:15:54

*Thread Reply:* Nope, tried with multiple open Wi-Fi including LTE hotspot.

Jay (vita@akut-hr.de)
2021-02-03 15:16:24

*Thread Reply:* Oh, let me try it too

Jay (vita@akut-hr.de)
2021-02-03 15:19:25

*Thread Reply:* Confirm. Had to accept T&C and then same screen a Eric.

Amine (amine.ayad@gmail.com)
2021-02-03 15:20:07

*Thread Reply:* What's funny is that it shows as Up and Running here : https://www.apple.com/fr/support/systemstatus/

Amine (amine.ayad@gmail.com)
2021-02-03 15:20:17

*Thread Reply:* Always knew that thing was updated manually.

Jay (vita@akut-hr.de)
2021-02-03 15:20:26

*Thread Reply:* I have two instances, trying the second one now.

Jay (vita@akut-hr.de)
2021-02-03 15:21:35

*Thread Reply:* Nope, definitely down.

Ajay Patel (ajay5675@msn.com)
2021-02-03 15:34:18

*Thread Reply:* its been updated now

Ajay Patel (ajay5675@msn.com)
2021-02-03 15:34:27

*Thread Reply:* as in the status checker haha

Ajay Patel (ajay5675@msn.com)
2021-02-03 17:09:11

*Thread Reply:* services look to be restored now

Ray Domingue (raydomingue@gmail.com)
2021-02-03 17:18:36

For those that are using app protection policies (w/ Intune) ... !! https://www.reddit.com/r/Intune/comments/lb0y95/ios_145_breaks_apps_that_are_app_protected/

reddit
👀 Woody
Boe (bkelley1982@gmail.com)
2021-02-03 18:14:27

*Thread Reply:* Hopefully they fix it by the time it goes GA or we are all in for a rocking good time 😛

😆 Woody
Ray Domingue (raydomingue@gmail.com)
2021-02-03 19:38:54

*Thread Reply:* Agreed, but still I don't need this. SMH.

🤣 Boe, Travis Reeves
Jay (vita@akut-hr.de)
2021-02-04 08:15:30

*Thread Reply:* I ran into that issue yesterday and was expecting some communication about this

Thierry (thierryjouannic@gmail.com)
2021-02-03 17:42:43

@Thierry has joined the channel

Travis Reeves (travis.reeves@amedisys.com)
2021-02-03 21:26:03

@Travis Reeves has joined the channel

Boe (bkelley1982@gmail.com)
2021-02-04 20:20:03

What is the best way to get logs from an iOS device in regards to Apple Mail? I'm trying to figure out why some user can establish an Active Sync connection while others at random can't.

brob (brian.robinson@gartner.com)
2021-02-04 20:49:00

*Thread Reply:* If you have an AppleCare support agreement they can provide an EAS specific profile to capture sysdiagnose logs…

Peter Mohr (pm@conscia.com)
2021-02-04 21:01:57

*Thread Reply:* Deploy one or more of the debug profiles from https://developer.apple.com/bug-reporting/profiles-and-logs/ and then have the user generate a SysDiagnose in one of two ways… Buttons or AssistiveTouch.. https://download.developer.apple.com/iOS/iOS_Logs/AssistiveTouch_Sysdiagnose_Logging_Instructions.pdf

developer.apple.com
developer.apple.com
👍 Boe
Mark Vonk (mark.vonk@dahvo.com)
2021-02-04 22:07:50

*Thread Reply:* Sysdiagnose logs can help too: https://www.jessesquires.com/blog/2018/02/08/how-to-sysdiagnose-ios/

Jesse Squires
Thomas Steinmetz (thomas.steinmetz@ebf.com)
2021-02-08 17:31:29

@Thomas Steinmetz has joined the channel

Massinissa Menas (menas.massinissa@gmail.com)
2021-02-10 09:20:47

@Massinissa Menas has joined the channel

Rajesh Daadi (rajesh@codeproof.com)
2021-02-10 13:57:21

@Rajesh Daadi has joined the channel

Lucile Riand (lucile.riand@ebf.com)
2021-02-10 18:45:54

@Lucile Riand has joined the channel

Satish Shetty (sat@codeproof.com)
2021-02-10 19:42:07

@Satish Shetty has joined the channel

Ronan SAILLARD (ronan.saillard@open-groupe.com)
2021-02-10 20:47:06

@Ronan SAILLARD has joined the channel

Karsten Jakobsen (kkj@globeteam.com)
2021-02-12 15:55:16

@Karsten Jakobsen has joined the channel

Boe (bkelley1982@gmail.com)
2021-02-17 19:33:05

Anyone have any tips or tricks for forcing down iOS updates. I'm specifically looking for tips and tricks to get the update applied on users devices with lock screen pins since it seems like those require user interaction and as a result a number of our devices are not getting updated.

Peter Mohr (pm@conscia.com)
2021-02-17 19:36:20

shared devices or “personal” ? Supervised?

Boe (bkelley1982@gmail.com)
2021-02-17 19:50:34

*Thread Reply:* Dedicated Corporate devices fully managed via WS1/ABM.

Peter Mohr (pm@conscia.com)
2021-02-17 19:55:38

*Thread Reply:* We use a mix of compliance policies which includes notifying the end user via push and e-mail and pushing updates and within xx days removing mail access if device isn’t updated

Boe (bkelley1982@gmail.com)
2021-02-17 20:02:04

*Thread Reply:* Ya I actually just put a compliance policy on a group of them to block email access until they update their device since the users just ignore our email / hub notification requests lol. It's just frustrating Apple doesn't give us the ability to force the install/reboot like you can on a device that doesn't have a lock screen pin.

🤣 Ray Domingue
aaron (aaron@groundctl.com)
2021-02-17 21:58:07

*Thread Reply:* Ouch.

🤣 Boe
Jay (vita@akut-hr.de)
2021-02-18 08:51:44

*Thread Reply:* we use a mix of compliance policy and conditional access policies in MEM. user get a grace period of 7 days to update to the requested OS, after those 7 days access to company ressources is blocked on the device

Ray Domingue (raydomingue@gmail.com)
2021-02-18 20:51:12

*Thread Reply:* @Boe you don't say ... they ignore your email??? #ThatsMyLifeTooEveryday

🤣 Boe, Jay
Ray Domingue (raydomingue@gmail.com)
2021-02-18 20:52:29

*Thread Reply:* We're going to start doing this as well in Intune, the problem is we have users that live in remote areas and not only do they not have Wi-Fi in their home, but they are not allowed in the regional offices b/c of Covid-19. So we're having to think outside the box on this.

Boe (bkelley1982@gmail.com)
2021-02-18 21:17:15

*Thread Reply:* I wish you the best of luck on that sir, it appears Apple has made this more of a pain in iOS 14 now requiring the device both be on Wi-Fi and plugged into power in order to update. Come on Apple I thought you were supposed to be the ones all for keeping things simple lol

Woody (eric.woodland@trust.tc)
2021-02-19 15:49:47

Can anyone else confirm if you’re seeing this “lack” of control/behavior with Shared iPad for Business in other MDMs?https://www.reddit.com/r/Intune/comments/llr25e/shared_ipad_for_business_change_inactivity_lock/

reddit
iMZ (mark_zimmermann@me.com)
2021-03-08 06:59:30

*Thread Reply:* You can change the timeframe with your mdm

Woody (eric.woodland@trust.tc)
2021-03-08 14:31:23

*Thread Reply:* @iMZ it may be that InTune is lacking support for several shared iPad features, but so far everything pushed via MDM is ignored.

Mikey2000 (mscottscranton079@gmail.com)
2021-02-26 06:55:42

Our DEP reseller told us that they have approved several new devices that we have bought, but these devices will not show up within the business manager. So the reseller told us it could take up to 72 hours, but that time has past. The reseller told us they can’t help. Are there any logs within ABM that I can pull or do I need to raise a case with Apple?

Ajay Patel (ajay5675@msn.com)
2021-02-26 15:11:57

*Thread Reply:* If there were any errors uploading to your portal you would receive an email from Apple. If you haven’t received these errors then like Peter says they have probably uploaded to the wrong portal.

👍 Mikey2000, Thomas B.
Peter Mohr (pm@conscia.com)
2021-02-26 07:26:23

9/10 cases like this we see is caused by the reseller sending devices to the wrong customer ID and they don’t pay attention to any errors coming back from Apple too…

✅ Jay
🙏 Mikey2000
👍 Scott Arndt
Amine (amine.ayad@gmail.com)
2021-03-01 16:57:37

Hi, I’m facing an issue with the Global HTTP Proxy configuration. It is not bypassing the PAC in case it’s not reachable, despite being enabled on the profile. Has anyone seen this before? Just looking for a quick resolution before starting to review the iOS logs.

Sidney (sidney.laan@gmail.com)
2021-03-08 12:48:22

@Sidney has joined the channel

Gary (mcconnell.gary@gmail.com)
2021-03-10 14:39:57

@Gary has joined the channel

Gary (mcconnell.gary@gmail.com)
2021-03-10 14:42:44

Hi, any suggestions on how to backup user data on remote supervised devices before a hardware refresh? We would then look to restore the data on the newly supervised device. We usually suggest iCloud as the ideal solution but customer is looking for alternative solutions.

Jay (vita@akut-hr.de)
2021-03-10 14:48:47

*Thread Reply:* Hi, alternative could be encrypted backup using iTunes.

Raul (rnadal@mobileiron.com)
2021-03-10 15:14:15

*Thread Reply:* The best way to do is to retire device from UEM, make backup, and then restore to new supervised device

👍 Pierre Michaud
Raul (rnadal@mobileiron.com)
2021-03-10 15:14:29

*Thread Reply:* That’s the cleanest way

Steven (steven@pro.incogni.ch)
2021-03-11 14:49:00

*Thread Reply:* You can't unenroll a supervised device without wiping it, or I have missed something recently 🤔

Jay (vita@akut-hr.de)
2021-03-11 14:49:41

*Thread Reply:* Correct, you’d need an admin to issue a “Retire/Unenroll” command from the console.

Steven (steven@pro.incogni.ch)
2021-03-11 14:51:32

*Thread Reply:* But the device would still need to be wiped.

Raul (rnadal@mobileiron.com)
2021-03-11 21:48:26

*Thread Reply:* No, you just want to pull the MDM profile, but you can def do the backup after retiring device

👍 Steven
Nick Knight (arpknight@gmail.com)
2021-03-12 01:51:35

Hi all, We've noticed that since updating to iOS 14 on a COBO device, Safari is no longer available in Passwords & Accounts, Autofill. (Our COBO devices do not have an Apple ID)

I saw that there was a change in how Keychain works with Autofill in iOS 14 in the various articles regarding it.

I'm guessing that without an Apple ID on a device, Safari cannot use Autofill anymore in iOS 14, as it seems to integrate with the Keychain function instead? Is anyone else having this issue and could confirm this is how it now works?

Or do we have a switch in our MDM we need to disable somewhere... I've checked WS1 and I tried just removing all profiles from the device and it's still affected.

aaron (aaron@groundctl.com)
2021-03-12 11:57:38

*Thread Reply:* I don’t think that’s it. I believe safari gets its passwords from the keychain. So “keychain” is what you want to enable.

If a device has an Apple ID and iCloud then this option changes to “iCloud Keychain”.

Nick Knight (arpknight@gmail.com)
2021-03-15 23:48:42

*Thread Reply:* Thanks, you're dead right. our users just need to enable 'Keychain' as per the screenshot and functionality comes back

Looks like for our users at least, upgrading to iOS14 disabled this feature so it had to be enabled again.

Jeremy (jeremy@bodokh.com)
2021-03-12 15:00:16

Hi everyone, do you know if it’s possible to force an update from the app store on a non supervised device ? The documentation does not suggest that anything like this exists (even for supervised) but I might have missed something. Our client would like to make sure that one managed application is always updated to the latest version. Thanks

Ladislav Blazek (ladislav@lblazek.cz)
2021-03-12 15:02:25

You need VPP (ABM) and device license assignment.

Jeremy (jeremy@bodokh.com)
2021-03-12 15:03:26

I can force update “public” app on non supervised devices ?

Jeremy (jeremy@bodokh.com)
2021-03-12 15:04:54

I’m looking at the docs right now seems to do the job

Ladislav Blazek (ladislav@lblazek.cz)
2021-03-12 15:16:22

*Thread Reply:* VPP works regardless of supervision. App is already installed. So if assigned with device license, MDM should be able to send update command.

Jeremy (jeremy@bodokh.com)
2021-03-12 15:53:00

*Thread Reply:* I’ll have a look at it thanks for the help.

Todd Cole (toddcole13@hotmail.com)
2021-03-12 21:39:14

*Thread Reply:* If the app is installed by the MDM then it can update it. if the user installed the app then the MDM can not force the update, however if the MDM takes over the app then it can update it (app takeover has to be enabled in the MDM)

➕ Thomas B.
Ladislav Blazek (ladislav@lblazek.cz)
2021-03-12 23:24:13

*Thread Reply:* True, good point. Push message to convert app from unmanaged to managed state is supported by nearly every MDM. On non-supervised device user need to approve that conversion = user will be prompted and can decline. But I am right now not sure about one thing... when the app installed by user and is converted to managed state. Could be the license changed as well from user to device licensing model without app reinstallation? Afaik app auto updates works only when device licensing is enabled.

Daniel Kr. (daniel.kraussler@cancom.at)
2021-03-17 08:44:05

@Daniel Kr. has joined the channel

Esa Hietikko (esa.hietikko@miradore.com)
2021-03-25 11:14:22

@Esa Hietikko has joined the channel

Dan Whiteley (danw@avr.co.uk)
2021-03-25 13:55:19

@Dan Whiteley has joined the channel

AU-Consultant (sambenenge@gmail.com)
2021-03-29 21:46:12

Heads up - https://kb.vmware.com/s/article/82793?lang=en_US

kb.vmware.com
Jeremy (jeremy@bodokh.com)
2021-03-30 08:46:20

*Thread Reply:* Thanks for the info. Is there a way to follow these case without an Apple care enterprise subscription?

AU-Consultant (sambenenge@gmail.com)
2021-03-30 20:37:46

*Thread Reply:* openradar.appspot.com tracks apple bugs (radars), but it doesn't catch them all. I think it is up to the originator of the radar to list it themselves and they haven't in this case (radar FB9010428). We have logged a ticket with AppleCare to see if they can tell us anything further, so I will let you know what they come back with.

AU-Consultant (sambenenge@gmail.com)
2021-03-30 21:42:28

*Thread Reply:* AppleCare have acknowledged the issue and are planning a fix in a future iOS release.

Jeremy (jeremy@bodokh.com)
2021-03-31 09:52:05

*Thread Reply:* @AU-Consultant thanks a lot

Colby Burrows (coburrow@starbucks.com)
2021-03-31 19:01:54

@Colby Burrows has joined the channel

JR (jason.reese3@gmail.com)
2021-04-01 03:13:24

@JR has joined the channel

Scott Arndt (scott.arndt1982@gmail.com)
2021-04-01 15:20:14

@Jason Bayton love the new site. 🤣

😁 Jason Bayton
Jason Bayton (jason@bayton.org)
2021-04-01 15:21:19

*Thread Reply:* thank you. I'll be hanging my hat here from now on 😄

😆 ninex
Matt Dermody (jmdermody@gmail.com)
2021-04-01 16:22:58

*Thread Reply:* Should we go ahead and just archive all the Android channels?

Jason Bayton (jason@bayton.org)
2021-04-01 16:23:46

*Thread Reply:* Couldn't make Android documentation any worse 😛

Damian (support@expertmobilite.com)
2021-04-06 09:58:16

In case anyone is interested, we’re going to start pushing our devs to incorporate this into all future enterprise apps! https://betterprogramming.pub/how-to-prevent-screen-capture-at-ios-14-1f01173c31c0

Medium
Reading time
3 min read
👍 Woody
Michael Goad (michaelpat87@gmail.com)
2021-04-12 21:01:25

Question for the community, I can’t test this in my own lab tenant. If we have users that are logged into email (unmanaged) but now we want to force MDM enrollment to access, setting up an External proxy or sorts with O365 to force that behaviour. If we do that, would that break connections for existing users authenticated email, forcing them to enroll into MDM?

Woody (eric.woodland@trust.tc)
2021-04-13 19:50:10

*Thread Reply:* @Michael Goad What MDM are you using? This is a good use case for implementing Device Trust. There are several vendors offering this (and several ways to implement), but essentially you’re screening devices before allowing them into managed modern services. If you’re still using ActiveSync, you can toss a certificate auth requirement on top of the connection.. then anyone not managed would automatically be filtered-out/denied access until they become managed.

Jeroen (kruitje@outlook.com)
2021-04-16 15:43:48

@Jeroen has joined the channel

Boe (bkelley1982@gmail.com)
2021-04-20 16:13:20

oooof

😬 Caryn
Ville Raassina (ville.raassina@advania.com)
2021-04-20 17:36:54

*Thread Reply:* Anyone have any MS links, about this: • have one customer reporting this (VMware tickets, thought this is some issue with WS1.. but as said: App works if "non-MDM managed, installed from App Store)

Ville Raassina (ville.raassina@advania.com)
2021-04-20 17:56:57

*Thread Reply:* Ok, Endpoint Manager - Service Health has the notes from MS. Just took some digging (thanks for the heads up and posting the MobileJon - link.. there was screenshot in the Linkedin post 🙂 )

Thomas B. (tbosboom@apple.com)
2021-04-21 20:35:59

*Thread Reply:* Looks like it has been resolved by MS.

👍 Woody
Tyler Reidie (tylerr@ca.ibm.com)
2021-04-26 23:54:11

@Tyler Reidie has joined the channel

Woody (eric.woodland@trust.tc)
2021-04-30 18:36:09

DEP Device Migration Question: If a DEP Policy is set to allow Device Migration, is allowing the user to sign-in to an iCloud account mandatory?

Woody (eric.woodland@trust.tc)
2021-05-03 16:09:43

*Thread Reply:* Anyone have insight on this one? My gut says the migration wizard would port over the Apple ID and the user wouldn’t be prompted?

Thomas B. (tbosboom@apple.com)
2021-05-06 13:26:00

*Thread Reply:* Are you referring to iOS QuickStart (https://support.apple.com/en-us/HT210216) ? In that case I think the fine print at the bottom of that page may be relevant to your question: “** If your new iPhone is enrolled in Apple School Manager or Apple Business Manager, you can’t use Quick Start to transfer data from your current iPhone.”

Apple Support
Woody (eric.woodland@trust.tc)
2021-05-10 20:18:25

*Thread Reply:* @Thomas B. Yeah, this was posted before I got down into the details. Company isn’t going to buy iCloud storage plans for backups, so if a user happens to have an Apple ID and backups.. they can restore. Else, the new device is provisioned with a baseline of business apps and user can add extras as they go.

Woody (eric.woodland@trust.tc)
2021-05-10 20:19:16

*Thread Reply:* For CSuite/Exec level… may exclude new device from DEP Server assignment and allow use of the Migration Wizard.. then User Enroll into MDM after the wizard completes.

Thomas B. (tbosboom@apple.com)
2021-05-10 20:23:30

*Thread Reply:* That would work. Also, local (‘Itunes’) backup can sometimes be an option for those without sufficient iCloud storage. If you happen to have a contact with a local friendly AppleSE they might also be able to help you ensuring you consider all options.

👍 Woody
Boe (bkelley1982@gmail.com)
2021-05-04 00:58:42

Another week another iOS exploit 😄 I kid but man it seems like this is becoming a weekly thing lately https://www.theverge.com/2021/5/3/22417984/ios-14-5-1-ipad-iphone-apple-watch-mac-update-security-fix

The Verge
🥲 Jay, Jason
Woody (eric.woodland@trust.tc)
2021-05-04 17:12:56

*Thread Reply:* I thought the same. Should have let some of the betas bake a little longer. Glad I skipped 13.3.0 on MacOS, since it comes in at nearly 6.5Gb (and would have been nearly 13gb of updates after doing 13.3.1)

Caryn (Csnshop@icloud.com)
2021-05-04 23:56:13

*Thread Reply:* I think it was just new emojis 🥱😶‍🌫️ 😵‍💫

Caryn (Csnshop@icloud.com)
2021-05-04 23:58:42

*Thread Reply:* …one of which is not working as intended. Anticipate another update soon 🤣

🤣 Boe, Woody
Boe (bkelley1982@gmail.com)
2021-05-05 15:05:31

*Thread Reply:* Ya even my die hard iOS friends/co workers are getting a little annoyed by this. 3 out of the last 5 updates are to fix exploits. So much for Apple Security being superior 😄 In all fairness they make great products but this is starting to feel like iOS 13 all over agian.

Caryn (Csnshop@icloud.com)
2021-05-05 15:07:26

*Thread Reply:* Maybe the security team was distracted by the Gates divorce 😆

😆 Woody
Boe (bkelley1982@gmail.com)
2021-05-05 15:09:12

*Thread Reply:* Ooooof

Sherman Chen (sherm@me.com)
2021-05-05 19:22:11

@Sherman Chen has joined the channel

macbentosh (benbergthold@gmail.com)
2021-05-10 16:11:55

how can you push a shared cal with MI?

Peter Mohr (pm@conscia.com)
2021-05-11 09:04:27
Ajay Patel (ajay5675@msn.com)
2021-05-14 14:11:22

does anyone here have any good material they reference if talking to customers about migrating from in-house apps to custom apps?

brob (brian.robinson@gartner.com)
2021-05-14 16:28:18

*Thread Reply:* i think this is a good overview https://developer.apple.com/videos/play/wwdc2020/10667/

Apple Developer
Thomas B. (tbosboom@apple.com)
2021-05-17 19:40:40

*Thread Reply:* I quite like the table of distribution options published here at the end of the page: https://developer.apple.com/business/distribute/

developer.apple.com
Thomas B. (tbosboom@apple.com)
2021-05-17 19:41:41

*Thread Reply:* Also, that page links to pages with more detail on both the Enterprise program and Custom apps respectively, e.g. https://developer.apple.com/custom-apps/

Apple Developer
👍 Woody
Ajay Patel (ajay5675@msn.com)
2021-05-18 09:24:04

*Thread Reply:* thanks @Thomas B. thats exactly what i was looking for

Boe (bkelley1982@gmail.com)
2021-05-14 19:15:50

Anyone know if their is a way to disable "Facetime Live Photos" via an MDM rather than doing it by hand?

Woody (eric.woodland@trust.tc)
2021-05-25 20:56:13

Anyone want to place bets on when iOS 14.6.1 drops? As much as I want to upgrade, I’m pretty much just advocating the .1 at this point…

jj (jj@autolean.com)
2021-05-25 23:37:56

this guy

✅ Woody
Leon (leonashtonleatherland16@gmail.com)
2021-05-28 15:18:39

Hi All, anyone know what the following is specifically referring to on an iOS device? customer is reporting very high data usage on devices when they have enrolled into Intune

ninex (me@willworland.com)
2021-05-28 15:28:40

*Thread Reply:* Hi Leon. This is where iOS stores the data value for traffic related to the EMM. Check-in's are negligible, but this could be related to an initial sync of a large mailbox(s) or if there is a configuration error in the work-stream w/ the EMM, it could be constantly throwing errors back to the service. Sometimes just doing an unenroll/reenroll can solve these issues as well. Here's an Apple Support article on what some folks have done to find the resolution. https://discussions.apple.com/thread/5386573?answerId=23327904022#23327904022

👍 Leon, Mikey2000
Leon (leonashtonleatherland16@gmail.com)
2021-05-28 15:31:30

*Thread Reply:* Very useful - many thanks. My initial thoughts were to take a look at the mailbox settings

👍 ninex
Damian (support@expertmobilite.com)
2021-06-01 10:46:04

Hi, we’re rolling out DEP and need to prevent auto-enrolllent if the device is ever lost or stolen. The idea is to apply another DEP profile that would require authentication if that ever happened but this means more manual admin work after the device is enrolled. Can anyone suggest a better way around this? Thanks

Peter Mohr (pm@conscia.com)
2021-06-01 12:22:05

Do you have auth on or off for DEP enrollments in general? We sometimes have a DEP profile called “Lost devices” that we auto-enroll into a locked down part of MDM with all apps hidden etc… Thieves can enroll but have no use for the device and we get to see and control the device again

Damian (support@expertmobilite.com)
2021-06-01 13:03:29

*Thread Reply:* Yeah we have auth off when the device is first enrolled and then put them in a lost mode with auth on so they can’t advance. I guess it’s the only option?

Niklas Jenslöv (niklas.jenslov@gmail.com)
2021-06-02 10:14:48

Hi! We have big problems with iOS devices getting stuck on the Apple logo after iOS update. The problem seems to have escalated since we started to schedule OS Updates via MDM (Workspace One UEM). Anyone experienced same issue?

Peter Mohr (pm@conscia.com)
2021-06-02 10:50:10

yes. known issue with Apple

Peter Mohr (pm@conscia.com)
2021-06-02 10:50:12

😞

Peter Mohr (pm@conscia.com)
2021-06-02 10:50:30

most of the time you can set device in DFU mode and exit DFU mode and then it works again

Niklas Jenslöv (niklas.jenslov@gmail.com)
2021-06-02 12:28:39

Yes, thats what we do as well. I wish there were something we could do remote though. (or that the problem didnt exist in the first place) Thanks Peter!

Peter Mohr (pm@conscia.com)
2021-06-02 12:30:07

Yes, for sure. We have also seen bricked devices that need their hardware replaced by Apple after the last few OS updates 😞

Ajay Patel (ajay5675@msn.com)
2021-06-07 09:41:24

has anyone seen the below issue when triggering a passcode reset from an EMM? The user cannot get rid of this prompt no matter what they type in, the phone does not accept the new passcode.

Mark Vonk (mark.vonk@dahvo.com)
2021-06-07 11:38:51

*Thread Reply:* What are the password requirements that are pushed?

Ajay Patel (ajay5675@msn.com)
2021-06-07 11:44:53

*Thread Reply:* just 6 digits

Ajay Patel (ajay5675@msn.com)
2021-06-07 11:45:31

*Thread Reply:* but we managed to resolve it by creating an alphanumeric passcode which isnt in the policy but allowed the user to continue to reset it then set it back to 6 digits after

Mark Vonk (mark.vonk@dahvo.com)
2021-06-07 11:47:49

*Thread Reply:* That’s weird. I have seen similar issues, but only when the password policy forced extreme password complexity

Woody (eric.woodland@trust.tc)
2021-06-07 14:16:41

Can anyone remind me - With the traditional SSO payload (strictly Kerberos), can you still wildcard URLs like we used to? e.g http://**.example.com - Apple’s site shows refrence to it, but I wanted to confirm. https://support.apple.com/guide/deployment-reference-ios/intro-to-kerberos-single-sign-on-apdf5b35aad2/web

Apple Support
Peter Mohr (pm@conscia.com)
2021-06-07 14:18:11

yes. no problem

👍 Woody
Roberth Diorges (roberthdiorges@gmail.com)
2021-06-07 18:45:14

@Roberth Diorges has joined the channel

Bill Fitzgerald (bfitzgerald@cwsi.ie)
2021-06-12 13:18:09

@Bill Fitzgerald has joined the channel

Bill (slack@meshak.net)
2021-06-21 16:58:26

How is one able to get logs related to application installation failures on IOS? We use an in-house Timesheets app on IOS devices. The maintenance of the project has moved to a new person since the previous maintainer is pursuing other opportunities. There is a new version they want to test, but It's failing to install. I get a very generic error in IOS 14 that the integrity of the app could not be validated. When we rolled this app out a few years ago, I could sync the device via Itunes and then search the app install logs in the Itunes sync folder for more details, but I cannot repeat that now.

Jeremy (jeremy@bodokh.com)
2021-06-21 17:01:26

*Thread Reply:* When plugin the iOS Device to a Mac, you can use the console application to see the logs

👍 Woody
Jeremy (jeremy@bodokh.com)
2021-06-21 17:01:48

*Thread Reply:* look for the package name of the application you should be able to retrieve the correct log

Jeremy (jeremy@bodokh.com)
2021-06-21 17:02:17

*Thread Reply:* We usually see this error message when the app is not correctly signed (AdHoc or AppStore) instead of InHouse

Bill (slack@meshak.net)
2021-06-21 17:21:24

*Thread Reply:* <windows geek> Anything comparable for Windows? 😄 Time to try and scare up an Apple computer

Peter Mohr (pm@conscia.com)
2021-06-22 07:38:09

*Thread Reply:* Use Sysdiagnose to get the log file and open on any computer :)

👍 Woody
Nico Hermeling (nico.hermeling@outlook.com)
2021-06-22 08:47:21

*Thread Reply:* I have used this in the past, before I switched to a Mac:

1. Download the full set of exe's and dll's

  1. Create a folder named “DeviceLogs” in the root folder of you local C drive.
  2. UnZIP the download to the C:\DeviceLogs folder.
  3. Click “Start” in the search window type “powershell”
  4. Type the following commands: cd \DeviceLogs ( hit enter ) .\idevicesyslog.exe | tee LogName.log ( hit enter )   Reproduce the issue and hit Ctrl+C to stop the log capture.   LogName.Log file will be located in the C:\DeviceLogs folder.   NOTE: 1) Device must be unlocked prior to running either command. 2) You need to have iTunes installed on the computer.
Bill (slack@meshak.net)
2021-06-22 16:55:11

*Thread Reply:* Awesome, thanks for the help everyone!

Michael Dornstreich (michael.dornstreich@aspirus.org)
2021-07-01 16:11:14

@Michael Dornstreich has joined the channel

Boe (bkelley1982@gmail.com)
2021-07-01 18:37:06

I'm curious has anyone who supports BYOD made the switch to "User Enrollment" vs the traditional device enrollment? If so how has your experience been and what gotchas have you run into?

Barbra Conner (iambac777@gmail.com)
2021-07-06 18:21:49

*Thread Reply:* Great question!

Damian (support@expertmobilite.com)
2021-07-21 18:18:32

*Thread Reply:* Yep we ran a POC but as we do mobileSSO and federated our domain with ABM, this created an extra hurdle as our IDP sends any mobile user-agent to WS1 Access (this includes Safari that is used for end user enrollment). As the auth request comes from Azure, this impacts all Office mobile apps so we couldn’t put an exception in place to not forward the request for end user enrollment without impacting the security of the solution. There is a way to ensure conditional access between AirWatch and AAD but you need MS Authenticator for this and we already have our own Authenticator app…send me a PM if you want more details?

Daniel (d.weber@netze-bw.de)
2021-07-22 07:35:51

*Thread Reply:* We found an issue with per-app vpn (cert based auth). This is not possible with user enrollment. As we have the requirement for some apps with internal backend to use a per-app vpn this was the show stopper for us. Haven't looked into this for a while now to be honest but I believe this did not change yet.

Cedric Lüke (mail@cedric.cc)
2021-07-01 19:25:39

Very curious as well - we are looking into it right now. One thing we already noticed is that the keychain separation is not as robust as expected, especially for certificate auth in Safari/SafariViewController in apps like Authenticator

Boe (bkelley1982@gmail.com)
2021-07-01 22:14:09

*Thread Reply:* @Cedric Lüke I can't imagine we are the only ones looking at it. I would also like to think someone in here has already made the switch. I was watchin this session from WWDC where they are talking about the change to declarative management that got me thinking about it again. https://developer.apple.com/videos/play/wwdc2021/10131/#:~:text=Declarative%20management%20allows%20the%20device,without%20prompting%20from%20the%20server.

Apple Developer
Woody (eric.woodland@trust.tc)
2021-07-13 23:31:06

Can someone remind me: Federated Apple IDs + Shared iPad - Is there a way to have a digit Shared iPad Passcode? Similar to Windows Hello?

Woody (eric.woodland@trust.tc)
2021-07-13 23:32:18

*Thread Reply:* I swear on one of the initial builds I did, it was feasible. However, what I’m seeing here says that ABM will always enforce a complex passcode? https://support.apple.com/guide/mdm/shared-ipad-sign-in-mdm6c592d817/web

Apple Support
Todd Cole (toddcole13@hotmail.com)
2021-07-23 18:19:24

*Thread Reply:* Why share a passcode, use a guest login? Just curious.

Todd Cole (toddcole13@hotmail.com)
2021-07-23 18:19:37

*Thread Reply:* Or temporary login

Woody (eric.woodland@trust.tc)
2021-07-26 21:09:24

*Thread Reply:* @Todd Cole Customer was against Guest/Temporary, as the users need to be signed-in as themselves and be able to retain app data/settings/etc.

Todd Cole (toddcole13@hotmail.com)
2021-07-29 03:37:26

*Thread Reply:* Shared iPad with Managed Apple ID’s? Let's talk tomorrow if you are free, I feel I am missing something here.

Woody (eric.woodland@trust.tc)
2021-07-29 18:24:24

*Thread Reply:* Yes @Todd Cole - Shared iPad with MAIDs.

Woody (eric.woodland@trust.tc)
2021-07-29 18:24:42

*Thread Reply:* I’m free to chat this afternoon at any point. You know how to find me #Holler

Daniel Sellers (info@danielsellers.com)
2021-07-20 18:07:40

@Daniel Sellers has joined the channel

Justin Butts (justin.butts777@gmail.com)
2021-08-05 21:30:50

Hey hey - anyone know if iOS still can't handle profile changes that contain a change state for OAuth from disabled to enabled? I know a few years ago it would never pick up the change and you'd need to actually pull the profile and send a new one - anyone have any insights?

DirkC (dcarey@vmware.com)
2021-08-06 16:27:29

*Thread Reply:* With iOS profiles, it is a remove and re-install of new profile. Apple doesn't support a concept of deltas.

👍 Justin Butts
brob (brian.robinson@gartner.com)
2021-08-18 21:50:36

*Thread Reply:* We use Workspace ONE and we just updated the EAS profile with Oauth enabled and the iOS device received a pop-up asking them to enter the password which takes them through the auth workflow

Woody (eric.woodland@trust.tc)
2021-08-12 16:15:13

That’s a first 😆 - Listening experience > Security?

😀 Sharkey, brob
🤣 Boe, Mikey2000
Adam Royall (adam.royall@icloud.com)
2021-08-13 00:55:51

@Adam Royall has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2021-08-20 13:48:06

Are there any iOS payloads to configure the files app via MDM?

Peter Mohr (pm@conscia.com)
2021-08-20 13:48:43

Not as far as I know 😞 Would love to be able to add servers etc 🙂

👍 Mikey2000, Woody
Mikey2000 (mscottscranton079@gmail.com)
2021-08-20 13:49:31

*Thread Reply:* Same here. 😀

Thomas B. (tbosboom@apple.com)
2021-09-02 10:57:51

*Thread Reply:* That would be great feedback to share via the Feedback app / AppleSeed for IT as a feature request…. maybe talk to a friendly Apple SE to see if they can help raise the visibility of your request…

Boe (bkelley1982@gmail.com)
2021-08-20 21:22:40

Does anyone in here use Polycom RealPresence Mobile HD and if so have you found a way to push out the settings via the MDM instead of needing to set them by hand? I tired looking at their sites documentation and I didn't find anything.

DirkC (dcarey@vmware.com)
2021-08-23 16:15:10

*Thread Reply:* Able to ask their support team if the app implements AppConfig? Also ask them why not if it doesn't.

Boe (bkelley1982@gmail.com)
2021-08-23 16:19:54

*Thread Reply:* I wish unfortunately this app is provided to us by a vendor and not the company direct so I don't have direct access to their support which is why I thought I would reach out and see if anyone else had experience with it. I went thru their support site and they mention MDM's in some of their documents but never anything about supporting AppConfig via the MDM. It's not a huge deal either way I was just hoping to cut a few setup steps out for our Desktop Support Team, plus less things they have to manually do less chance for error 😄

DirkC (dcarey@vmware.com)
2021-08-23 17:38:56

*Thread Reply:* The Google Play version does not support AppConfig.... so that isn't a great sign.

🤣 Boe
Boe (bkelley1982@gmail.com)
2021-08-23 17:42:01

*Thread Reply:* Ya I checked that too so I figured I was out of luck but thought it was worth the ask regardless thanks for trying though Dirk

Porkchop (michael@kaegler.com)
2021-08-26 18:28:09

@Porkchop has joined the channel

ZachW (zjweir1@gmail.com)
2021-08-26 20:54:11

@ZachW has joined the channel

Timo Weik (timo@weik.one)
2021-09-03 09:11:50

@Timo Weik has joined the channel

Tim Evans (timevans666@gmail.com)
2021-09-06 09:26:30

@Tim Evans has joined the channel

Justin Butts (justin.butts777@gmail.com)
2021-09-08 14:07:38

Am I losing my mind? I thought iOS devices had to be supervised to use an unlock passcode / clear passcode command?

Eric Bos (ericbos1@ie.ibm.com)
2021-09-08 14:08:29

*Thread Reply:* no it should work on unsupervised devices as well

👍 Woody
Justin Butts (justin.butts777@gmail.com)
2021-09-08 14:14:19

*Thread Reply:* My pre-coffee brain can't wrap my head around Apple still allowing for unsupervised unlocks - thank you for confirming!

😆 Woody
Sharkey (lukesharkey@gmail.com)
2021-09-08 14:15:34

*Thread Reply:* Yep. Still managed.

👍 Woody
Cedric Lüke (mail@cedric.cc)
2021-09-09 12:58:32

Is anybody using Safari in iPad Kiosk mode (single app mode via MDM policy) with VPN? Looks like the single app mode profile blocks AnyConnect from establishing the On-Demand VPN connection

Peter Mohr (pm@conscia.com)
2021-09-09 13:44:11

“Single App Mode” 🙂 kind of gives you the answer. You can’t run 2 apps (AnyConnect and Safari)….

Cedric Lüke (mail@cedric.cc)
2021-09-09 14:08:46

well that's what I feared, thought somebody might have a clever way around it

Peter Mohr (pm@conscia.com)
2021-09-09 14:09:28

Use the internal VPN client (no SSL VPN though 😞 )

Sharkey (lukesharkey@gmail.com)
2021-09-09 14:09:34

Maybe make it an always on vpn?

Peter Mohr (pm@conscia.com)
2021-09-09 14:10:18

Always On requires Supervision too. (I guess SingleAppMode does too)

Sharkey (lukesharkey@gmail.com)
2021-09-09 14:10:46

I advise against SAM with MDM. Never ending problems IMO

👍 Woody
Peter Mohr (pm@conscia.com)
2021-09-09 14:13:43

true, but also works in some use cases. Automation helps on the backend….

  1. remove SAM from meeting room devices
  2. Update app and OS.
  3. Reboot
  4. Re-apply SAM stuff like this can happen over night automated. if not your device and app will never update 😞
👍 Woody
iMZ (mark_zimmermann@me.com)
2021-09-21 19:43:53

WHO Knows why Fokus Mode dindn‘t work for Apps from mdm ?

Jay (vita@akut-hr.de)
2021-09-22 08:51:48

*Thread Reply:* Do you mean that notifications still come through even though they are not supposed to? Haven’t tested that so far.

Ajay Patel (ajay5675@msn.com)
2021-09-29 09:06:06

if anyone has an iPhone could they try the below for me 🙂 using the native mail client, if they use the unread filter button does the phone freeze up then unfreezes around 10 seconds later but the filter doesnt work (i.e if you are in unread mode it wont take you out of it and vice versa)

Mark Vonk (mark.vonk@dahvo.com)
2021-09-29 10:21:39

*Thread Reply:* It works as expected for me on iOS 15

👍 Thomas B.
Ajay Patel (ajay5675@msn.com)
2021-09-29 10:34:21

*Thread Reply:* thanks @Mark Vonk just me then 😞

🤣 Boe
Joel Prefontaine (joel_prefontaine@outlook.com)
2021-09-30 17:32:00

@Joel Prefontaine has joined the channel

Henry Heres (henry@technicalfellow.nl)
2021-10-01 06:53:31

@Henry Heres has joined the channel

Sharkey (lukesharkey@gmail.com)
2021-10-07 21:23:06

Anyone had any issues on iOS 15 with blasts of meeting acceptances after upgrading?

👀 Woody
Mark Vonk (mark.vonk@dahvo.com)
2021-10-08 17:28:05

*Thread Reply:* Actually I have seen this with upgrade to 14.7 too. The persons that where causing this issue had to remove and reapply the exchange config. Native iOS mail right?

Sharkey (lukesharkey@gmail.com)
2021-10-28 21:51:46

*Thread Reply:* Yeah

Sharkey (lukesharkey@gmail.com)
2021-10-28 21:52:05

*Thread Reply:* Seems somewhat common. But MSFT didn't care lol.

brandobot (brwong@linkedin.com)
2021-10-13 00:14:41

Any word is CVE-2021-30883 also affects iOS 14.8?

Sharkey (lukesharkey@gmail.com)
2021-10-13 00:15:32

Safe to assume yes IMO

👍 Woody
Gary (mcconnell.gary@gmail.com)
2021-10-14 19:14:41

Hi, Is anyone having issues lately with native email client, certificate based authentication and o365? We have multiple customers reporting issues... only happening with CBA access to o365 exchange online....

Woody (eric.woodland@trust.tc)
2021-10-14 20:39:24

@Gary This is using CBA + O365 ActiveSync. Right?

Gary (mcconnell.gary@gmail.com)
2021-10-14 20:40:17

@Woody yes...

Woody (eric.woodland@trust.tc)
2021-10-14 20:41:00

Might be worth checking w. MSFT. Technically everything you’re doing is supported from an Azure perspective…

Woody (eric.woodland@trust.tc)
2021-10-14 20:42:17

Unless you’re having issues with your PKI/CRL, it should be business as usual

Gary (mcconnell.gary@gmail.com)
2021-10-14 20:42:36

Yip, MSFT confirmed that it is strange and not able to find the issue yet. Will check CRLs

Peter Mohr (pm@conscia.com)
2021-10-15 11:05:55

Exchange Online service alert Incident information Title: Some users are unable to send email or receive using their Exchange ActiveSync (EAS) synced iOS or Android device ID: EX291497

Jon Dynes (jdynes@me.com)
2021-10-15 15:42:56

@Jon Dynes has joined the channel

Damian (support@expertmobilite.com)
2021-10-18 12:13:31

Hey folks, with the growing number of critical vulnerabilities (zero day no touch exploits) I'm curious to know how everyone is handling this from an MDM perspective? Are you all setting the latest iOS version (15.0.2) or the one before it such as 14.8? It's starting to become really unmanageable from a communication standpoint so I'm wondering if any of you have a MTD solution in parallel that is able to detect and prevent these regardless of the iOS version?

Eric Bos (ericbos1@ie.ibm.com)
2021-10-18 12:25:18

*Thread Reply:* MTD does not replace OS updates, but most MDM would be able to detect devices that are not up to date, and they could push out OS updates to supervised iOS devices, for example MaaS360 can do this.

Damian (support@expertmobilite.com)
2021-10-18 12:27:03

*Thread Reply:* Of course not, I'm well aware of that - I was just wondering how everyone is managing this given the constant flow of iOS updates…

Sharkey (lukesharkey@gmail.com)
2021-10-18 12:43:33

*Thread Reply:* I put a 21 day hold on updates unless they are critical. I also use mdm to push updates. But as a parallel measure we set devices to auto update on setup as well. Then we preach keeping them updated. Updates on mobile, android and iOS, are spotty for people for many reasons. Most of my population does not like to put a device on Wi-Fi. And we don't have cert based authentication, so auto attachment to a corporate Wi-Fi is not possible. Many updates don't get done due to this. Then there are space issues on devices that prevent updates. Really the best policy I have is to be really annoy the end user until they update. Being annoying is increasingly difficult lol. Good luck 🍀 !

👍 Damian, Woody
Jay (vita@akut-hr.de)
2021-10-18 14:26:51

*Thread Reply:* We usually have N-2 as minimum policy and people have a grace period of 7 days (so until iOS 14.8 14.7 would be allowed as minimum, if 14.8 would not have been labeled critical). They get a notification and then have 7 days to remediate, if they don’t do that after 7 days access to company resources is revoked, for that device. With critical vulnerabilities increasing on iOS side we have lately been following going to the latest OS version and set grace period to 1 day, with communication being sent to everybody before hand. The scenario with iOS 14.8 and 15.0.2 being out and Apple telling people that they get to choose made even that more difficult. We have a significant number of people on 15+ already and also still a high number on 14.8 afraid to update because they don’t want stuff to break for them, which I understand had a terrible experience with my private iPhone. I tested Filters in MEM and it works fine, so now we’ll fork the policy and ask everybody who is already on 15+ but not on 15.0.2 yet, to update with grace period set to 1 day. Everybody who is still on 14.8 is excluded for now, because communication from Apple hasn’t been really clear if 14.8 is affected too. Tbh the situation is becoming messier and messier in my view.

👍 Damian, Woody
Damian (support@expertmobilite.com)
2021-10-18 15:00:09

*Thread Reply:* We've found that it's impossible to get everyone updated within such a short timeframe…not sure how you're managing to do that in 1 or 7 days unless you have a small fleet. We have 60,000 devices!

👍:skin_tone_5: Jay
👍 Woody
Boe (bkelley1982@gmail.com)
2021-10-18 15:37:05

*Thread Reply:* Hey @Jay I could be wrong but from what I've seen reported there were 3 major zero days reported and the first was patched by Apple in 14.7.1 after the researcher who found them went public because Apple was dragging their feet. It's my understanding that another was patched with the 15.0.2 patch and that it sounds like the last exploit is getting patched in 15.1. So I believe all builds are impacted but I could be wrong.

🤔 Jay
Boe (bkelley1982@gmail.com)
2021-10-18 15:40:20

*Thread Reply:* Currently we have a 30 day hold on users being able to take iOS updates on their own normally this gives me time to watch and see if any major issues are reported in the media or if any vendors come forward with issues as well. I don't worry as much about apps breaking when they are dot releases but I do worry every time we take a major update (i.e. going from 14.8 to 15) as it seems something always breaks. I have a list of apps/configs that I know are most likely to break so I start by testing on them with the right people to put their apps thru their paces. After that I start my phased roll out across our devices and hope for the best. Like everyone else here has said already its important to keep these things up to date. My direct management doesn't really push for me to do this but my security team has requested it and as the guy who it will all fall down on if we get owned I do my best to keep everything as patched and current as I can. 🤣 Managing mobiles devices will be fun they said, its easy they said 🤣

😂 YAS
Damian (support@expertmobilite.com)
2021-10-18 16:04:21

*Thread Reply:* How many devices are you guys managing ?

Jay (vita@akut-hr.de)
2021-10-19 09:44:47

*Thread Reply:* 8K

Damian (support@expertmobilite.com)
2021-10-20 15:13:56

*Thread Reply:* How are you guys managing Android, patch dates etc ?

Jay (vita@akut-hr.de)
2021-10-20 15:30:42

*Thread Reply:* Android 9 as minimum, paired with N-2 when it comes to security patch level, from tomorrow on that will be 2021-08-01. Security patch level is updated every month on the third Thursday. Next month we’ll also move to Android 10 as minimum.

👍 Damian, Daniel
Thomas B. (tbosboom@apple.com)
2021-10-22 15:08:58

*Thread Reply:* Latest is greatest - the most recent iOS release has prio when it comes to receiving patches. Participating in AppleSeed can help with timely readiness.

Apple Support
Woody (eric.woodland@trust.tc)
2021-10-22 17:39:51

Is it me, or is there not a way to hard-set a 6-digit lock code in the DEP Setup Wizard?

Sharkey (lukesharkey@gmail.com)
2021-10-22 17:40:47

It’s not you. Are there is no way to do it for iOS devices

😭 Woody
Sharkey (lukesharkey@gmail.com)
2021-10-22 17:41:42

For Max with the P you can create an admin account and password during set up automatically

Sharkey (lukesharkey@gmail.com)
2021-10-22 17:42:00

I’m using Siri to type this if it seems intelligible

😆 Woody
Woody (eric.woodland@trust.tc)
2021-10-22 17:55:21

So best not to set during the wizard, then enforce with policy after DEP is complete?

Will Davis (wmdavis@us.ibm.com)
2021-10-22 21:11:54

*Thread Reply:* This is what I usually suggest when doing new DEP setups

👍 Woody
Thomas B. (tbosboom@apple.com)
2021-10-25 10:52:37

*Thread Reply:* I’d say that setting the policy straight away and holding the device until the config has completed should get you here (awaitdeviceconfigured) - If your MDM does not support this, alternatively just set the passcode policy and most users will opt for the default of a 6-digit code anyway, and those who do not will be forced by policy as soon as it lands on the device.

👍 Woody
GeorgeU (geupham@gmail.com)
2021-10-25 02:56:53

@GeorgeU has joined the channel

Ajay Patel (ajay5675@msn.com)
2021-10-26 11:38:48

New Apple Business Manager T&C's get released today so dont forget to go and approve those to avoid any unnecessary syncing issues!

👍 Woody, Norton, Daniel
Jay (vita@akut-hr.de)
2021-10-26 11:44:50

*Thread Reply:* Yesterday evening already, but good to remind people again.

Ajay Patel (ajay5675@msn.com)
2021-10-26 11:50:05

*Thread Reply:* im a day behind i've just come back from Annual leave so just playing catch up still 😅

Jay (vita@akut-hr.de)
2021-10-26 11:57:18

*Thread Reply:* all good, I know that feel 😄

Woody (eric.woodland@trust.tc)
2021-10-26 15:21:01

*Thread Reply:* Done and done! You have to admit, the emails coming from vendors about this are sort of absurd. CRITICALLY absurd 😆

Boe (bkelley1982@gmail.com)
2021-10-26 20:27:57

*Thread Reply:* I think the process of having to go in and check for the TOS at random because they don't do it at a set time on the day mentioned is absurd. Then again the fact we have to do it every time it changes is not much fun in general. +1 for Android Enterprise set it up and forget about it lol

👍 Woody, Ajay Patel
👍:skin_tone_5: Jay
Thomas B. (tbosboom@apple.com)
2021-10-28 09:35:14

The Apple Platform Deployment guide just got it’s update to match iOS 15 release, esp the What’s New page is neat: https://support.apple.com/en-gb/guide/deployment/dep950aed53e/web

Apple Support
👍:skin_tone_5: Jay
👍 Jason, Johannes Harbs, Woody, Tim
Kawarien (ibrahimabbaadam@yahoo.fr)
2021-11-03 10:41:39

I have a machine certificate installed by Intune in Generale ->Device management. I would like my application to use this machine certificate to present it to an F5 server. when the F5 validates the certificate that I can access to the web services. How do I get my application to find and use the certificate in Generale ->Device management? Thank you

Jay (vita@akut-hr.de)
2021-11-03 11:56:56

*Thread Reply:* You’d have to create a VPN configuration file in Intune using “F5 Access” as connection type, fill out the other required information and under “Authentication method” select “Certificates”. Then you have to go to “Authentication certificate” and select the other certificate you have precreated, the one you see under General -> Device management.

👍 Kawarien
Mark Vonk (mark.vonk@dahvo.com)
2021-11-03 12:40:35

*Thread Reply:* Also make sure to add the custom xml, like so:

<f5-vpn-conf> <prompt-for-credentials>false</prompt-for-credentials> <client-certificate> <issuer>Microsoft VPN root CA gen 1</issuer> </client-certificate> </f5-vpn-conf>

Mark Vonk (mark.vonk@dahvo.com)
2021-11-03 12:41:10
Kawarien (ibrahimabbaadam@yahoo.fr)
2021-11-03 12:53:34

*Thread Reply:* Thanks you, i have understood how to do it. i want to know what should i do on the apps side to use the certificate. i use ionic/cordova for my apps

Jordan Philip (jordan.philip@mobilesolutions.net)
2021-11-04 21:22:05

Here’s a fun one, definitely something we’ve not come across yet! Have you ever heard of an app developer for iOS rolling back a version in the app store? Workday’s dev team botched up something with last week’s release, and they’re going to roll it back to the previous release. We’re trying to figure out how to handle that with MDM… like will devices that are set to automatically update apps roll back automatically? We are honestly just hoping that they submit their old working version of the app with a higher revision so MDMs will trigger the update, but not sure. Any insight would be helpful as pretty much anyone I’ve asked hasn’t seen this situation before.

👀 Woody
Ajay Patel (ajay5675@msn.com)
2021-11-05 08:58:50

*Thread Reply:* whenever Workday botch an update (seems to happen quite a lot for one of our customers) they do exactly as you say, revert to a previous version but making it a higher revision.

💪 Woody
Jordan Philip (jordan.philip@mobilesolutions.net)
2021-11-05 13:32:22

*Thread Reply:* Thanks @Ajay Patel!

Jordan Philip (jordan.philip@mobilesolutions.net)
2021-11-05 20:34:48

*Thread Reply:* You were dead-on @Ajay Patel This corrected our problem, and nice that they rev’d it up to allow us to “upgrade”

👍 Woody, Scott Arndt
Woody (eric.woodland@trust.tc)
2021-11-08 16:31:11

*Thread Reply:* Fun one! Good to know that’s how Workday is working it…

Mikey2000 (mscottscranton079@gmail.com)
2021-11-11 06:33:00

If I buy a device directly from Apple, are they really not able to activate the device for DEP?

Peter Mohr (pm@conscia.com)
2021-11-11 07:05:18

*Thread Reply:* Apple Business Store Online will do this for sure. Not all Apple Retail Stores will do it…

👍 Mikey2000
Steve Hayton (shayton@bridgeway.co.uk)
2021-11-11 09:10:16

*Thread Reply:* Apple Business Store (in the UK) definitely do add to DEP.

✔️ Thomas B.
Scott Arndt (scott.arndt1982@gmail.com)
2021-11-12 22:48:32

*Thread Reply:* You also have the option to use Configurator to add the device to ABM

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2021-11-16 18:20:49

*Thread Reply:* Right, but for that I need the device in my hands, which I have not. 😜

Thomas B. (tbosboom@apple.com)
2021-11-19 15:21:21

*Thread Reply:* The business team in any retail store should be able to help - you’ll need to call/chat/mail them though - walking into the store and getting an ABM enabled device ‘on-the-spot’ is a different story.

Jay (vita@akut-hr.de)
2021-11-15 11:10:47

Do you guys also feel that the restore experience on iPhones is (still) inconsistent? At times I have cases were the new device (from supervised to supervised) does restore the MDM profile from the old device and then runs into the “Profile installation failed” issue and at times it works fine and the new device interactively downloads the MDM profile as it should. Restoring from supervised to non supervised works fine, as there is no MDM profile restored and you manually have to enroll the non supervised device, which is fine. From non supervised to supervised also works fine.

Florent N. (Florent.NOSARI@econocom.com)
2021-11-15 11:35:33

*Thread Reply:* There are a lot of problems when restoring to the same device

Jay (vita@akut-hr.de)
2021-11-15 11:36:49

*Thread Reply:* In most cases it is restoring to a new device, restoring to the same is rarely done here. But the tests I did with restoring to the same looked fine, at least this time.

YAS (esteem143@gmail.com)
2021-11-15 16:07:09

*Thread Reply:* Yes, I agree with you, Julio. I do face similar issues consistently.

Jay (vita@akut-hr.de)
2021-11-15 16:18:21

*Thread Reply:* Even the “Quick Start” option worked for me, even though this was multiple times mentioned as not built for enterprise. Very confusing and frustrating.

Boe (bkelley1982@gmail.com)
2021-11-16 16:38:43

*Thread Reply:* Julio I'm with you on this, we run into this issue all the time with our BYOD users where they transfer their data from their old phone to their new phone but then can't get enrolled because it copied over part but not all of their MDM profile to the new device. This leads to a support call because most users don't realize and don't want to deal with the WS1 self service profile to nuke their old device. Doing so fixed the MDM profile and then they get enrolled but I wish this didn't happen at all.

Jay (vita@akut-hr.de)
2021-11-17 07:21:47

*Thread Reply:* Yeah, pretty annoying

Thomas B. (tbosboom@apple.com)
2021-11-19 15:20:05

*Thread Reply:* Maybe to clarify on Quick Start with ABM - Most of the quick start functions will work, it’s just the direct device-to-device data transfer part that does not - you’ll be guided to use the regular backup-based data transfer- which is fine, esp now with iOS 15 where you get unlimited temp storage for such transfers. Hope that makes sense.

Jay (vita@akut-hr.de)
2021-11-19 15:34:24

*Thread Reply:* Yeah, I get your point Thomas. That was also my observation, that the device to device transfer is also moving over the profile, which is excluded if you do it in another way. Moving over the device is creating issues and would have to be removed by me through unenrolling the device later, without wiping it if it evens get to reach the home screen

Peter Mohr (pm@conscia.com)
2021-11-22 13:25:29

*Thread Reply:* IBM has a nice overview about this :

https://www.ibm.com/support/pages/dep-ios-backup-and-restore-guide

ibm.com
🎉 Jay
Jay (vita@akut-hr.de)
2021-11-22 14:59:46

*Thread Reply:* Thank you so much! I knew this image from somewhere, but couldn’t find it anymore. I didn’t know that there was a whole article that it comes with!

Sidney (sidney.laan@gmail.com)
2021-11-29 08:08:37

Hi all, does one of you know if it is possible to create a multi-app kiosk 'mode' for iOS/iPad devices via VMware Workspace ONE UEM? For Android you can easily use the Workspace ONE Launcher in multi-app mode, but for iOS devices I see only a single-app mode payload...

Woody (eric.woodland@trust.tc)
2021-11-29 17:25:46

@Sidney Hola! I suppose you could use App Whitelist/Blacklist paired with the Home Screen/Dock Config. Would that accomplish what you're looking for?

Sidney (sidney.laan@gmail.com)
2021-11-29 19:52:08

*Thread Reply:* Ola Woody, probably yes. got sort of the same response in another Slack channel. Will need to test this, hoped there was an easier way.

👍 Woody
Woody (eric.woodland@trust.tc)
2021-12-01 18:41:51

*Thread Reply:* @Sidney It's honestly pretty straightforward. Once you do it a couple times you'll come to enjoy it

💪 Sidney
Scott Arndt (scott.arndt1982@gmail.com)
2021-12-03 17:25:04

Hello all, anyone know of a method to clear all installed app data on iPad in shared mode with Hub sign in via Workspace One? I am currently using an assignment logic which removes the app when the device is checked in, however for apps that you sign-in to like Teams or Outlook, the account persists

AU-Consultant (sambenenge@gmail.com)
2021-12-06 20:30:20

Hello Everybody! Has anyone had any success with allowing a single-app mode app to have access to device camera? We have a vaccine passport app that we would like to lock in SAM, but it needs to be able to scan QR codes.

Sharkey (lukesharkey@gmail.com)
2021-12-06 21:52:37

*Thread Reply:* I had a similar issue. The app needs to be allowed the permissions first. And the permission prompt only comes up when not locked. So we have them unlock the app. Accept the permission. Then lock up again.

AU-Consultant (sambenenge@gmail.com)
2021-12-08 19:49:00

*Thread Reply:* Awesome, will try that... thanks!

Woody (eric.woodland@trust.tc)
2021-12-06 21:02:05

As-of iOS/iPadOS 15... is there any way to force a default browser via Supervision/MDM?

Sharkey (lukesharkey@gmail.com)
2021-12-06 21:51:27

*Thread Reply:* Not that I know either

😢 Woody
Peter Mohr (pm@conscia.com)
2021-12-06 21:48:31

not as far as I know…

😭 Woody
Timothy Byler (timothy@compassfoundation.io)
2021-12-07 00:37:58

Hello, has anyone had any problems with iOS devices losing their CA certs? We are pushing out two CA certs via a profile to all our devices and we are having a few of the devices lose the certs. It only seems to be a problem with iOS 15 devices but I'm not ready to say that it is a 15 bug. I just got in this screen shot from a device and it would have had the certs installed as late as yesterday but today they were missing.

Mark Vonk (mark.vonk@dahvo.com)
2021-12-07 07:15:38

Yeah we have the same issue at a customer with iOS 15 devices. To narrow it down: what MDM are you using? Our customer is using MobileIron Core.

Ladislav Blazek (ladislav@lblazek.cz)
2021-12-07 07:19:55

@Timothy Byler are you pushimg both certs in separate configs?

Mark Vonk (mark.vonk@dahvo.com)
2021-12-07 07:55:20

We, at least are pushing them in separate configs

Mark Vonk (mark.vonk@dahvo.com)
2021-12-07 08:37:34

Symptoms Customers reported that features based on certificates pushed via MDM stopped to work on iOS 15.0 and 15.1 (VPN, Wifi, email,...) due keychain incomplete or missing. Cause Apple confirmed that a bug could cause remove or corruption of the certificates pushed via MDM upon iOS updates. The behavior is triggered when pushing a profile with certificates to an iOS 14 device and updating to iOS 15, then re-pushing that profile. This has to do with security changes made to iOS 15 and persistent references in the keychain. Pushing the profile with the now missing certificates again should resolve the issue and not re-occur.   Resolution The vendor is working on a fix and a relief will be shared as soon as is available in a future beta release. Apple Care reference: 101551789316. Please reference your Apple ticket if you are affected.

Workaround: repush profiles with certificates not linked or invalid

👍 Ladislav Blazek, Woody, Pierre Michaud
Timothy Byler (timothy@compassfoundation.io)
2021-12-07 17:58:10

*Thread Reply:* This would be fairly consistent with what I'm seeing. The one detail that I don't have is when the devices in question were updated.

We have found that repushing the profile fixes the problem for the device in question.

👍 Woody
Mark Vonk (mark.vonk@dahvo.com)
2021-12-07 18:49:18

*Thread Reply:* Apple told us it is fixed in iOS 15 beta 4. We can't really test that because it does not always seem to happen.

Timothy Byler (timothy@compassfoundation.io)
2021-12-08 16:13:15

*Thread Reply:* Thanks to all that contributed to this question. Some times it is nice to know that you're not just crazy.

Timothy Byler (timothy@compassfoundation.io)
2021-12-08 17:19:55

*Thread Reply:* A question from one of our techs, "15.0 beta 4 or the just-released 15.2 RC (that is beta 4)?"

Mark Vonk (mark.vonk@dahvo.com)
2021-12-08 17:21:02

*Thread Reply:* I believe the latter, 15.2 rc2

👍 Timothy Byler, Thomas B.
Timothy Byler (timothy@compassfoundation.io)
2021-12-07 17:31:08

We are using Jamf Pro, we are still on version 10.32.1, which is about two versions old. Currently I'm pushing both certs in a single config profile

Nick (nickdiaz@gmail.com)
2021-12-10 13:48:54

@Timothy Byler it’s affecting most DoD devices, since there are multiple certs from multiple sources. Only happens when there's is more than one cert. Pretty frustrating as it makes MDM app catalogs extremely cumbersome to use. No, it’s not fixed in 15.2 beta 4, or RC.

Thomas B. (tbosboom@apple.com)
2021-12-13 19:32:37

*Thread Reply:* Maybe check this one; https://support.apple.com/kb/HT212962

Apple Support
Thomas B. (tbosboom@apple.com)
2021-12-13 19:33:25

*Thread Reply:* Should be fixed in the just released 15.2

Nick (nickdiaz@gmail.com)
2021-12-13 20:29:10

*Thread Reply:* Definitely not fixed, but thanks for the ammunition in my ticket escalation.

Nick (nickdiaz@gmail.com)
2021-12-13 20:29:34

*Thread Reply:* Likely not the same issue.

Timothy Byler (timothy@compassfoundation.io)
2021-12-13 20:37:22

*Thread Reply:* Thanks for all the info, the bit about it taking more then one Cert to trigger the problem is interesting. It would explain why we're not seeing it on all our servers

👍 Nick
Thomas B. (tbosboom@apple.com)
2022-01-12 19:20:23

*Thread Reply:* Today’s beta contains a fix that looks like it might address an issue where users are prompted to select a certificate to authenticate to websites several times before gaining access. - might be worth looking into.

Nick (nickdiaz@gmail.com)
2022-01-12 21:51:51

*Thread Reply:* No such luck in our test.

Woody (eric.woodland@trust.tc)
2021-12-13 17:31:05

Has anyone played around yet with Configurator for iPhone? Just realized it released a week ago. Gonna have to give it a shot.. https://9to5mac.com/2021/12/06/apple-configurator-now-available-on-iphone-for-adding-macs-not-purchased-by-an-organization-into-business-manager/

9to5Mac
Written by
Filipe Espósito
Est. reading time
2 minutes
👍 Mikey2000, Sidney
Peter Mohr (pm@conscia.com)
2021-12-14 07:39:42

*Thread Reply:* yeah. works really well 🙂

👍 Woody
iMZ (mark_zimmermann@me.com)
2021-12-29 10:42:13

*Thread Reply:* I think that’s a good start. The whole thing works very well, hope Apple brings additional features in there.

👍 Woody
Mikey2000 (mscottscranton079@gmail.com)
2021-12-14 19:12:21

Guided Access Mode on iOS - are there any payloads to configure that via MDM?

Sharkey (lukesharkey@gmail.com)
2021-12-14 19:13:05

*Thread Reply:* Single app mode is the equivalent?

Mikey2000 (mscottscranton079@gmail.com)
2021-12-14 19:15:13

*Thread Reply:* Yes we could configure Single app mode with MDM, but not really the same like Guided Access

Mikey2000 (mscottscranton079@gmail.com)
2021-12-14 19:24:46

*Thread Reply:* Ok, looks like there are payloads:

👍 Woody
Woody (eric.woodland@trust.tc)
2021-12-21 14:31:15

Has anyone found any way to manage the home page in Safari for a supervised device? I don't recall there ever being a payload.

Lewis (lewis.riley@brightfin.com)
2022-01-12 23:07:36

@Lewis has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2022-01-20 09:38:32

Is there a way to schedule VPP app updates? (MobileIron Core) We have the problem that mostly Microsoft app updates consume most of our bandwith

Jason (jasonh@bridgeway.co.uk)
2022-01-20 14:16:19

*Thread Reply:* Why not cache them locally with a Mac Mini or similar? (Also makes iOS provisioning much faster too) 🤔

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2022-01-20 14:21:29

*Thread Reply:* Interesting- how would that work in combination with MobileIron Core?

Lewis (lewis.riley@brightfin.com)
2022-01-20 15:05:01

*Thread Reply:* Jason is talking about the macOS caching server option. That feature is independent of the MDM used. The iOS device would need to be on the same network as the caching server when running the updates.

Apple Support
👍 Mikey2000, Jason
Mikey2000 (mscottscranton079@gmail.com)
2022-01-20 15:13:05

*Thread Reply:* I see. Thank you, I will take a closer look. But basically the clients need to know that Mac Mini is the source for updates, am I right with that?

Lewis (lewis.riley@brightfin.com)
2022-01-20 16:18:45

*Thread Reply:* No client settings are needed, they just need to be on the same network. This feature is built-in to macOS

🙏 Mikey2000, Jason
Jason (jasonh@bridgeway.co.uk)
2022-01-20 17:45:08

*Thread Reply:* Sorry, been in meetings, but Lewis is spot on.

Woody (eric.woodland@trust.tc)
2022-01-21 22:35:38

Trying to remember. If I've enrolled/supervised a device with MDM A and I retire... then User Enroll to MDM B... does the Supervision Flag carry over?

Almar Diehl (almar.diehl@blaud.com)
2022-01-22 08:55:51

*Thread Reply:* Yes it does.

iMZ (mark_zimmermann@me.com)
2022-01-22 09:33:07

*Thread Reply:* User Enrollment? User Enrollemnt has no supervised Mode or what do you mean?

iMZ (mark_zimmermann@me.com)
2022-01-22 09:34:10

*Thread Reply:* On the other Hand a device that was once supervised is Supervised until you remove it via Apple Configurator ;) no matter how the mdm changes

💪 Woody, iMZ
Woody (eric.woodland@trust.tc)
2022-01-22 21:05:06

*Thread Reply:* Okay! It had been a minute since Supervised, then retired and added to a new MDM (without wiping/starting over). Thanks @iMZ for the refresher

Woody (eric.woodland@trust.tc)
2022-01-22 21:06:16

*Thread Reply:* To clarify: If I'm migrating a supervised device from MDM A to B without a wipe, I want to make sure the Supervised Flag carries into MDM B

Woody (eric.woodland@trust.tc)
2022-01-22 21:06:45

*Thread Reply:* When enrolling to MDM B, it is technically User Enrollment, because the user is enrolling... not Device Setup Wizard

iMZ (mark_zimmermann@me.com)
2022-01-23 08:06:49

*Thread Reply:* Ahh this way! If you do this, the device is also flagged in the new MDM supervised

👍 Woody
iMZ (mark_zimmermann@me.com)
2022-01-23 08:07:29

*Thread Reply:* Is just like with an ACC to bring the device into supervised and then log in to MDM.

👍 Woody
Jay (vita@akut-hr.de)
2022-01-24 07:52:07

*Thread Reply:* Is it really a “User Enrollment” (with managed Apple ID) or do you mean a user initiated enrollment through agent @Woody?

Woody (eric.woodland@trust.tc)
2022-01-24 15:00:37

*Thread Reply:* Yes @Jay it technically is perceived as a User Enrollment

Jay (vita@akut-hr.de)
2022-01-24 15:01:31

*Thread Reply:* ok

Woody (eric.woodland@trust.tc)
2022-01-24 15:40:00

*Thread Reply:* There is no MAID in this scenario. Basically a the MDM being removed from the source system, then being left without MDM.. so the user goes out and installs post-deployment, which is perceived by Apple/iOS as User Enrollment

Jay (vita@akut-hr.de)
2022-01-24 15:41:34

*Thread Reply:* I get that, I’m just confused by the usage of “User Enrollment” as Apple tried to change it into this enrollment scenario that has to include MAID even though before MAID the same term was and obviously is still used for BYOD/non DEP enrollment

👍 Woody
Thomas B. (tbosboom@apple.com)
2022-01-31 08:40:03

*Thread Reply:* I think @Woody refers to user initiated device enrolment as ‘user enrolment’ - somewhat confusingly. User enrolment has a very specific meaning now, with a MAID required and limited MDM functions. With manual device enrolment, supervision does indeed carrry over - it’s a flag set on the device. The main issue you may want to consider is that the manually enrolled MDM will be user removable; which might be a concern.

👍:skin_tone_5: Jay
👍 Woody
Jay (vita@akut-hr.de)
2022-01-31 08:54:01

*Thread Reply:* Yeah Thomas, I was thinking the same that’s why I asked. I also do share the concerns with the removable mdm profile.

👍 Thomas B.
Woody (eric.woodland@trust.tc)
2022-01-31 14:24:04

*Thread Reply:* @Thomas B. that's correct. So it is more of a manual enrollment in this scenario. No MAIDs in use. Appreciate you spelling that out. I'm sure it isn't the first time there will be confusion on that nomenclature

👍 Thomas B., iMZ
Timothy Duong (accounts@timothyduong.me)
2022-01-24 23:39:46

@Timothy Duong has joined the channel

David Baverstock (dbaverstock90@icloud.com)
2022-02-05 12:09:33

@David Baverstock has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2022-02-08 18:58:12

How are you guys deploying Exchange Online Shared mailboxes to the devices - only via MS Outlook? Is there an alternative?

Lewis (lewis.riley@brightfin.com)
2022-02-08 19:18:58

*Thread Reply:* The built-in Mail app can't do Shared mailboxes, so I believe Outlook is your best bet.

🙏 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2022-02-08 19:21:07

*Thread Reply:* And if the shared mailbox has the password enabled?

Lewis (lewis.riley@brightfin.com)
2022-02-08 23:06:28

*Thread Reply:* For the Outlook app, If they have delegate access, they should be able to add it by clicking on the add account button and choosing “Shared Mailbox”

Cedric Lüke (mail@cedric.cc)
2022-02-09 09:34:13

*Thread Reply:* VMware Boxer supports Shared mailboxes as well (if you are already using WS1 and have it licensed).

Bill (slack@meshak.net)
2022-02-08 21:37:43

Has anyone had success with the new "Account Driven User Enrollment" on IOS Devices? Otherwise known as the "Sign in to Work or School Account" in IOS 15

Todd Cole (toddcole13@hotmail.com)
2022-02-08 22:26:14

*Thread Reply:* What are you asking about. I have a few devices I am testing this on.

Thomas B. (tbosboom@apple.com)
2022-02-09 19:37:45

*Thread Reply:* I’ve done some tests and it looks neat to me - quite the improvement over the iOS 14 era process with manual profile install.

Todd Cole (toddcole13@hotmail.com)
2022-02-09 21:11:52

*Thread Reply:* agree, user enrollment is really good, but the dependance on Managed Apple ID make’s it tough.

Bill (slack@meshak.net)
2022-02-09 22:07:58

*Thread Reply:* That's promising to hear, I'm a workspace 1 shop here, and having a devil of a time getting the pre-reqs together. (building and hosting the domain.com/.well-known/com.apple.remotemanagment. Any guides specific to WS1 or generally you can point to?

Todd Cole (toddcole13@hotmail.com)
2022-02-09 22:20:03

*Thread Reply:* Not really unfortunately I am not well versed on WS1.

Jonny Welander (jonny.welander@intraservice.goteborg.se)
2022-02-11 10:07:30

@Jonny Welander has joined the channel

Damian (support@expertmobilite.com)
2022-02-18 09:10:18

Anyone aware of any iOS restrictions that could impact the use of CarPlay?

Anton I (antonn94@gmail.com)
2022-02-18 15:27:11

*Thread Reply:* Perhaps managed accounts such as calendar/contacts?

Damian (support@expertmobilite.com)
2022-02-18 16:14:10

*Thread Reply:* We authorise the sync of managed contacts to native contacts

Mark Vonk (mark.vonk@dahvo.com)
2022-02-20 06:16:39

*Thread Reply:* You need to allow Siri even when unlocked. So check for restrictions regarding Siri

Nico Hermeling (nico.hermeling@outlook.com)
2022-02-22 12:06:15

*Thread Reply:* @Mark Vonk We blocked Siri for ~un~locked devices and CarPlay works pretty well. When have you checked that?

@Damian Very obvious, but are WiFi or Bluetooth restricted?

(modified the typo)

Mark Vonk (mark.vonk@dahvo.com)
2022-02-22 12:31:28

*Thread Reply:* I am not sure about the current status, but it used to be a common reason for CarPlay to fail. If you Google for locked (not unlocked) you will find some references to it. Siri is still mandatory though, you need to enable it for CarPlay to work

Damian (support@expertmobilite.com)
2022-02-22 13:11:35

*Thread Reply:* Siri is allowed locked and unlocked and Bluetooth/wifi too. Probably a bug so just reaching out in case it's a known issue. Thanks

Stephan Giese (stephan.giese@sva.de)
2022-02-18 09:23:52

@Stephan Giese has joined the channel

Damian (support@expertmobilite.com)
2022-02-28 08:50:06

Hi folks, anyone know if the « ratings region » in the media content section in the restrictions profile has any real bearing or influence as we manage multiple regions ? For example, we manage the APAC region but only see Japan, Australia & NZ as an option? There is nothing in the documentation to explain that…

Mikey2000 (mscottscranton079@gmail.com)
2022-03-01 07:21:08

We are in the mix of planing a process how we handle backup/restore on a global scale and I want to ask for your input and experiences.

We have a lot of branches deployed all over the world. Backup/Restore is mostly done by our individual on-site Admins, which nowadays can be a bit tricky. We currently don't use Apple Business Manager, so all of our devices are Non-DEP and Non-Supervised. MDM is MobileIron Core.

How are you guys handling this with hardware replacement's ? (switch to a new phone). We thought about completely banning backups since it is mostly for consumer features and the devices are company owned anyway.

Jay (vita@akut-hr.de)
2022-03-01 14:17:46

*Thread Reply:* We’re telling people that we do not officially support backups as they don’t work as they should in a business context and everything company related is in the cloud and doesn’t need to be backed up. If they still want to use it they can, but they should use iCloud or iTunes/Finder and not the Quick Setup option. If they have issues we still try to help though.

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2022-03-01 14:18:59

*Thread Reply:* Pretty good - thanks for sharing

Todd Cole (toddcole13@hotmail.com)
2022-03-03 19:29:01

*Thread Reply:* To add a bit onto @Jay answer from my own experience, If your company applications are installed by the MDM and you have correctly flagged the apps themselves to not backup (or use iCloud if you want both blocked) then they will not be able to backup. In high security environments the use of backups have long be banned but it make support more painful. By ensuring corp apps that should not be backed up and sharing data to iCloud is correctly flagged that way by your MDM is a good start. Then the use of iCloud Backup should work fine and a users “personalized” settings will be moved but the corp apps will have to pushed down and then data sync’d back from the company.

🙏 Mikey2000
🙏:skin_tone_5: Jay
✔️ Thomas B.
Thomas B. (tbosboom@apple.com)
2022-03-11 20:55:04

*Thread Reply:* Todd is spot-on. I’d add that from a corp perspective, all data on phones should be seen as transient. That is to say, the canonical copy is what is on the mail server, in the database, in the backend etc. - the phone just has a local cache. Hence marking those apps as excluded from backup is fine. On restore, MDM pushes down the apps and the data is re-populated from the respective backends

🙏 Mikey2000
🙏:skin_tone_5: Jay
Mikey2000 (mscottscranton079@gmail.com)
2022-03-01 14:13:39

Managed Apple-ID questions: a.) is it possible to retrieve a list with names of the users that have a conflict? b.) our APNS cert was also issues with one of these Apple IDs - will this also be a conflict?

Mikey2000 (mscottscranton079@gmail.com)
2022-03-01 14:16:12

*Thread Reply:* I guess you have to contact Apple to move the APNS account from personal to managed Apple-ID: https://support.apple.com/en-gb/guide/apple-school-manager/axm6603d9206/web

Apple Support
Peter Mohr (pm@conscia.com)
2022-03-01 14:18:59

*Thread Reply:* 1. nope… You can’t. It’s privacy 🙂

  1. not really. but you can move to a different ID if needed. Contact Apple Deployment Support for this. They have a form for this
🙏 Mikey2000
Joel Prefontaine (joel_prefontaine@outlook.com)
2022-03-03 03:38:03

*Thread Reply:* Privacy yes , but emails are being mailed to users who have conflicts on your email system , so you still “know” if you want to

Barbra Conner (iambac777@gmail.com)
2022-03-03 21:37:50

*Thread Reply:* this has been a huge blocker for us making the migration because we have

  1. official developers who have historically used their work emails for developing apps
  2. users who, against corporate policy, used their corporate id We asked Apple for a list of those users so that we could embark on a communication campaign about the transition. Apple said No, privacy. So then we asked for the count so that we had an idea of what we were up against and that was denied as well. So we will be flying blind in the transition.

Once you take over the domain for user enrollment, the users will get a message from Apple indicating that they will need to transition to a personal id.

Peter Mohr (pm@conscia.com)
2022-03-04 07:06:41

*Thread Reply:* You can get the count from ABM before you turn on migration and federation…

Rob B (robtb1990@gmail.com)
2022-03-03 18:09:07

@Rob B has joined the channel

Jose Anaya (jose.anaya@brightfin.com)
2022-03-03 18:16:01

@Jose Anaya has joined the channel

brandobot (brwong@linkedin.com)
2022-03-03 21:48:19

What's the easiest way to enroll an iOS/iPadOS device into ABM and enroll it into MDM? On the macOS side, we're able to use configurator to quickly enroll a Mac and provision like a standard ABM device. On the mobile side, it looks like we need to configure Apple Configurator on macOS, then enroll the device using an enrollment URL. Is there a way to quickly add the device into ABM, then provision remotely without having to configure Configurator?

Todd Cole (toddcole13@hotmail.com)
2022-03-03 22:39:44

*Thread Reply:* There is only 2 ways: via Apple Configurator or a reseller adding it for you.

brandobot (brwong@linkedin.com)
2022-03-03 22:41:38

*Thread Reply:* got it. I'm using Configurator now and am able to get my device enrolled into WS1 and in ABM. Process seems a bit quirky and not consistent on the multiple attempts I've tried to enroll a device using a blueprint. Profiles are delivering fine, apps are not installing.

Justin Butts (justin.butts777@gmail.com)
2022-03-04 17:52:37

*Thread Reply:* dep/abm via vendor is certainly the easiest

Mikey2000 (mscottscranton079@gmail.com)
2022-03-07 06:45:48

Does Teams yet support multiple accounts?

Ajay Patel (ajay5675@msn.com)
2022-03-07 09:20:19

*Thread Reply:* simple answer... no.. Only 1 work 1 personal

😢 Woody
Woody (eric.woodland@trust.tc)
2022-03-08 17:17:41

*Thread Reply:* I do wish. The best thing is federation/linking between teams, but that's only if both orgs allow for it

Woody (eric.woodland@trust.tc)
2022-03-08 17:19:40

Fairly certain I know the answer, but has anyone found a way to enforce DnD (Focus) on supervised iOS when a vehicle is in motion? I get something with CarPlay from a personal perspective, but I know a business isn't going to provide vehicles specifically equipped with CarPlay to guarantee this always happens.

Mark Vonk (mark.vonk@dahvo.com)
2022-03-08 17:55:11

*Thread Reply:* DND ? Dungeons &. Dragons? 🤔

😆 Woody
🤣 Boe
Woody (eric.woodland@trust.tc)
2022-03-08 17:58:16

*Thread Reply:* @Mark Vonk Do not Disturb (aka Focus)

Boe (bkelley1982@gmail.com)
2022-03-08 17:59:53

*Thread Reply:* I don't know @Woody I think @Mark Vonk idea sounds like a lot more fun

😁 Mark Vonk
Woody (eric.woodland@trust.tc)
2022-03-08 18:00:05

*Thread Reply:* LoL -- I concur @Boe

Mark Vonk (mark.vonk@dahvo.com)
2022-03-08 18:01:15

*Thread Reply:* I did not see anything in the iOS restrictions documentation regarding focus/dnd unfortunately.

Woody (eric.woodland@trust.tc)
2022-03-08 18:05:23

*Thread Reply:* Yeah, likewise. Have someone shopping different MDMs because they think one is going to be able to do something magical with Apple on that front. Hate to break it to them, but that's not going to get them anywhere.

Woody (eric.woodland@trust.tc)
2022-03-11 18:34:32

*Thread Reply:* Potential solution on this front. https://lifesaver-app.com/

LifeSaver Mobile
Est. reading time
8 minutes
Cedric Lüke (mail@cedric.cc)
2022-03-09 13:59:14

I saw today that Apple puts an "Information Required Soon" notice next to (some? most? of) the Bundle IDs in our Enterprise Developer account. This appears to refer to the "Deployment Details" questions that have been marked as "optional" until now. Does anyone here know more about this, or any announcements regarding the enforcement of those fields?

Thomas B. (tbosboom@apple.com)
2022-03-16 12:43:30

*Thread Reply:* I can ask…

Max Ågren (max.agren@techstep.se)
2022-03-16 11:04:11

@Max Ågren has joined the channel

Rob B (robtb1990@gmail.com)
2022-03-16 16:45:38

99.9% sure its not possible but I am being told by an MDM vendor that it is. Will apple unlock a device (remove device passcode, not activation unlock) if you can prove device ownership?

I know they can do activation unlocks but never heard of them removing a passcode for you so you can get access to the device again.

Peter Mohr (pm@conscia.com)
2022-03-16 19:16:53

*Thread Reply:* Apple can’t. MDM can (if device is online and enrolled)

✔️ Thomas B.
Rob B (robtb1990@gmail.com)
2022-03-16 19:19:37

*Thread Reply:* Thanks for the verification. I never thought they did but our SureMDM vendor was trying to tell us they can.

Unfortunately in our case the phone is passcode locked and has been turned off then back on. And we know when that happens iOS turns off the data connection until the device is unlocked.

Peter Mohr (pm@conscia.com)
2022-03-16 19:32:27

*Thread Reply:* if this is an SIM capable device just plug in an unlocked SIM. If it’s not use a Lightning to USB-A to Ethernet adapter or just a USB-C to Ethernet if you have an iPad Pro… that brings the device back online 🙂

Peter Mohr (pm@conscia.com)
2022-03-16 19:32:56

*Thread Reply:* You can always wipe the device if you don’t care about the data.. Put it into DFU mode and restore using a cable.

Rob B (robtb1990@gmail.com)
2022-03-16 19:34:02

*Thread Reply:* Thanks for that info Peter much appreciated. Our customer was hoping to keep the data otherwise for sure we could have just wiped it early on. But that is good to know about Lightning/USB-C to Ethernet adapters.

Hadn't heard of that one before.

Thanks again!

Peter Mohr (pm@conscia.com)
2022-03-16 19:42:25

*Thread Reply:* I have this “kit”

https://www.apple.com/shop/product/MD821AM/A/lightning-to-usb-camera-adapter?fnode=[…]a4daa86040b291aa153aa97ed25dd00b9356e15b4196b73f3fef14968fafa0

Apple
Peter Mohr (pm@conscia.com)
2022-03-16 19:42:52

*Thread Reply:* https://support.lenovo.com/dk/en/solutions/pd029741

support.lenovo.com
Rob B (robtb1990@gmail.com)
2022-03-16 19:43:14

*Thread Reply:* awesome thank you so much for the recommendation

Rob B (robtb1990@gmail.com)
2022-03-17 19:46:17

*Thread Reply:* Hi Peter,

Have you ever ran into the issue where the iOS device will tell you that you need to unlock the device before you can use USB accessories?

Thomas B. (tbosboom@apple.com)
2022-03-21 10:03:17

*Thread Reply:* Yes, that limitation has been introduced a while ago. MDM is able to change this policy - but you would’ve had to do this ahead of time.

The Verge
Thomas B. (tbosboom@apple.com)
2022-03-21 10:04:23

*Thread Reply:* The restriction is “allowUSBRestrictedMode” - found in https://developer.apple.com/documentation/devicemanagement/restrictions

That site is really valuable to have on hand in this type of vendor discussion - it is the canonical answer to what MDM can or can’t do.

Daniel Skaaning (daniel_skaaning@hotmail.com)
2022-03-16 20:53:02

@Daniel Skaaning has joined the channel

Govi (byodmdm@gmail.com)
2022-03-17 04:42:30

Hi, need help : Ms-Outlook App for iOS can get the full list of Appconfig to creat .Plist for allowing/restrictions of certain features?. Via MDM server for a public iOS app.

Kenneth B. Jørgensen (kbj@its.aau.dk)
2022-03-18 07:20:09

@Kenneth B. Jørgensen has joined the channel

iMZ (mark_zimmermann@me.com)
2022-03-29 21:17:51

has someone the chance to create a high resolution screenshot of the profile creation screen of the old iphone configuration utility ?

Damian (support@expertmobilite.com)
2022-03-31 18:41:13

We have some users who receive their corporate mail on both their iPhone and iPad and only on the iPad do we see an issue whereby an email with an attachment over 10mb is not fully downloaded but arrives in text format. We don't have the issue on the iPhone at all and are all able to reproduce on the iPad. The active sync policy is the same for both types of devices. Allow HTML mail. There are no settings in the mail app that would influence this. I found some discussions in forums around the network bandwidth that could be causing this but my tests were done on the same 4G and Wifi…any idea ?

Thomas B. (tbosboom@apple.com)
2022-04-06 05:26:52

*Thread Reply:* Do you have an applecare case or a FB with AppleSeed?

Damian (support@expertmobilite.com)
2022-04-06 14:08:46

*Thread Reply:* Not yet but we can definitely create one. I was just putting this out there in case anyone had experienced the same issue

Wschuetz (walter.schuetz@post.at)
2022-04-03 07:50:03

@Wschuetz has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2022-04-04 16:56:46

Is there a payload for Safari „Request Desktop Site“ so we can pre-configure this? Or create a webclip with Request Desktop Site on?

Kristin (mail@kristin-zernechel.de)
2022-04-10 13:00:42

@Kristin has joined the channel

Benedikt Haller (benedikt.haller@gmail.com)
2022-04-26 13:32:17

@Benedikt Haller has joined the channel

Adrian Patrascu (adrian.patrascu88@gmail.com)
2022-05-11 07:51:00

We have been recently seen this affecting us and wanted to share this - https://support.microsoft.com/en-gb/office/phone-numbers-that-include-special-character[…]ne-dialer-on-ios-15-4-843c0015-da9d-4fd1-92e3-d08049e38fae. It seems this is fixed in iOS 15.5 and that should work there from our tests.

Tim (tim.struik@blaud.com)
2022-05-23 07:56:02

Wondering whether others experienced this issue with shared iPad, where the 'max cached users' setting doesn't seem to be respected. I.e. the max cached users was set to 10 and when user 11 signs in the first user who signed in won't be purged/signed out. We experienced this behavior with 2 MDM's.

🤔 Woody
Woody (eric.woodland@trust.tc)
2022-05-23 18:41:57

*Thread Reply:* @Todd Cole anything you’ve come across?

👍 Tim
Thomas B. (tbosboom@apple.com)
2022-05-31 21:34:51

*Thread Reply:* I find the updated deployment guide to be quite helpful; https://support.apple.com/guide/mdm/prepare-shared-ipad-mdm71124b400/web - with some interesting details in the referenced MDM spec. https://developer.apple.com/documentation/devicemanagement/settingscommand/command/settings/shareddeviceconfiguration. Some noteworthy comments:

> Apply this setting before users log in to the device. > If you upgraded the device to iOS 13.4 or later, perform an erase of all content and settings before applying this setting. > Provide either the QuotaSize or ResidentUsers. If you provide both values, the MDM server uses QuotaSize. What MDM’s are you seeing this with? Some vendors may have quirks in their implementation.

Apple Support
Tim (tim.struik@blaud.com)
2022-06-02 08:20:03

*Thread Reply:* Hi Thomas, the devices are running 15.5 at least. We noticed this on MobileIron Core and Intune. Within MobileIron and Intune this value is set in the enrollment profile which applies before any user signis in. MobileIron applies Resident user , indirectly I noticed that Intune does the same, Although it is not documented that obvious as at MobileIron.

Thomas B. (tbosboom@apple.com)
2022-06-02 08:20:56

*Thread Reply:* Aloha! Can you confirm that no user QuotaSize is set in the test setup?

Tim (tim.struik@blaud.com)
2022-06-02 16:23:43

*Thread Reply:* I am almost sure (checked) you can only set max resident user, no quota size within Intune and MobileIron, but please tell me if you experienced otherwise.

Thomas B. (tbosboom@apple.com)
2022-06-23 16:17:52

*Thread Reply:* Fwiw, the setting isn't Max in the API; it's just ‘residentUsers’ which is the expected number.

Thomas B. (tbosboom@apple.com)
2022-06-23 16:25:19

*Thread Reply:* Do the local cached accounts use all of their allotted quota in your test? And do you actually see all 11 accounts as recent accounts on the login screen?

Todd Cole (toddcole13@hotmail.com)
2022-06-23 19:54:28

*Thread Reply:* @Woody Sorry I have been on paternity leave and not on slack for a month! There is a video that gets into this a bit from WWDC this year (I believe it is the device management video) but the basic concept is either the OS balances the available space based on users (say 10 and it assigns the space available per) or space per user (separate option) when both are defined it get tricky. I would verify that the MDM is not defining both but only one or the other control.

💪 Woody
Anton I (antonn94@gmail.com)
2022-06-02 12:31:21

We have developers that need to access internal backend resources for their web and native apps test for both iOS and Android. How have you solved this? For Web we rprobably could use MSFT Tunnel, but we're not sure on per-app VPN since the apps resides from TestFlight/Android Firebase or sometimes sideloading. Can Microsoft Tunnel do full device VPN on iOS as well as Android?

Nico Hermeling (nico.hermeling@outlook.com)
2022-06-02 15:24:25

*Thread Reply:* Yes, device wide VPN is supported on iOS as well as Android devices, but you need to enable it manually in Defender app

Arttu (arttu.huhtiniemi@miradore.com)
2022-06-02 15:52:11

@Arttu has joined the channel

Damian (support@expertmobilite.com)
2022-06-07 09:06:15

iOS 16 compatibility !

✅ Jay, Steven, Rajesh Kumar, Woody
👀 Barbra Conner
Boe (bkelley1982@gmail.com)
2022-06-08 16:24:47

*Thread Reply:* Don't forget iPad OS

Boe (bkelley1982@gmail.com)
2022-06-08 16:24:51

*Thread Reply:*

👍 Woody, Damian
iMZ (mark_zimmermann@me.com)
2022-06-08 11:19:45

Does the new system wide sso support shared iPad ?

Thomas B. (tbosboom@apple.com)
2022-06-09 09:57:02

*Thread Reply:* If you’re referring to Platform SSO, that is macOS only.

Thomas B. (tbosboom@apple.com)
2022-06-09 09:57:27

*Thread Reply:* Platform Single sign-on (SSO) for macOS SSO extensions allow a user to enter their credentials once, so that subsequent apps and websites don’t require the user to repeatedly reauthenticate. But historically, SSO extensions worked only after a user logged in with their local credentials to macOS. Platform SSO allows developers to build SSO extensions that extend to the macOS login window, allowing users to use an Identity Provider (IdP) password to unlock their Mac. The local account password is automatically kept in sync, so the cloud password and local passwords match. Users can also unlock their Mac with Touch ID and Apple Watch. There are two supported authentication methods: • Authentication with a Secure Enclave-backed key: With this method, a user who logs in to their Mac can use a Secure Enclave-backed key to authenticate with the IdP without a password. The Secure Enclave key is set up with the IdP during the user registration process. • Password authentication: With this method, a user authenticates with a local password or an IdP password. Requirements Platform SSO requires the following: • macOS 13 or later • An SSO extension payload that includes support for Platform SSO • Support from the IdP for the Platform SSO authentication protocol • A supported mobile device management (MDM) solution ◦ Note: If the Mac is unenrolled from the MDM solution, it is also unregistered from the IdP.

iMZ (mark_zimmermann@me.com)
2022-06-13 07:58:26

I hope I can deactivate developer mode on MDM devices

Thomas B. (tbosboom@apple.com)
2022-06-13 16:04:42

*Thread Reply:* I’d argue you already could - disable profile installation, disable trusting external developers, maybe disable USB data access…

Todd Cole (toddcole13@hotmail.com)
2022-06-24 18:28:27

*Thread Reply:* Also if you are in the Beta/Seed program file feedback asking for MDM capabilities you think are needed.

❤️ Thomas B.
Alex Chappuis (alex@creasion.ch)
2022-06-23 15:05:06

Hi, anyone is experiencing issues with Intune / iOS 15.5 and DEP devices since a few days? we can't stage iOS devices anymore - the iPads get stuck in Intune single-app mode although they are flagged as compliant and authentication succeeds https://www.reddit.com/r/Intune/comments/v6ol52/ios_devices_that_are_currently_under_an_abmdep/

reddit
Alex Chappuis (alex@creasion.ch)
2022-06-24 10:51:20

Cause identified : the Single app mode option (DEP profile Intune) does not work anymore with the current Intune + Company Portal app + iOS 15.5. Workaround: create a new DEP default profile without single app mode and assign it to new devices Switching off the option in the current default profile doesn't help unfortunately...

👀 Woody, Jay, Rob B
Woody (eric.woodland@trust.tc)
2022-06-24 15:10:34

Thanks for the update @Alex Chappuis. That's interesting to say the least.

Aamir (zihaan9@gmail.com)
2022-06-29 00:15:33

@Aamir has joined the channel

Pierre Michaud (thunderbirt@gmail.com)
2022-07-07 16:28:25

Hello,

Curious to know if there are any recommendation for instructor led courses on the management capabilities when managing iOS devices? There appears to be many self-service courses but not having luck finding some that are instructor led.

The goal is to learn what management features are available when managing iOS devices that we may not know about.

Thank you!

Thomas B. (tbosboom@apple.com)
2022-07-11 08:53:51

*Thread Reply:* Aloha Pierre! I would concur, there might be room for somebody to offer that, but I haven’t seen many. Def not on a global level, local experts (e.g. in Apple Consultant Network or with local AAER) may offer options. Some MDM vendors have decent training - Jamf, VMware come to mind - that might serve your needs. Combined with the new self-paced training at https://training.apple.com/it you could get quite far.

👍 Woody, Pierre Michaud
Woody (eric.woodland@trust.tc)
2022-07-11 15:08:32

*Thread Reply:* Good recommendations, @Thomas B.!

Thomas B. (tbosboom@apple.com)
2022-07-11 15:23:45

*Thread Reply:* Thnx! I forgot one important suggestion - to connect with a friendly Apple SE in your region. These teams aren’t huge so they may get busy but will have great pointers for you, as wel as invites to (virtual) Tech Camps with the latest content and connections to the wider Apple org (think Apple Professional Services, Consulting Engineers etc.)

👍 Pierre Michaud, Govi
Thomas B. (tbosboom@apple.com)
2022-07-11 15:28:18

*Thread Reply:* You may also want to join the AppleSeed channels in the community - they have some great discussions on the latest releases and upcoming features, also for iOS.

Damian (support@expertmobilite.com)
2022-07-19 08:16:37

Has anyone tested the new restriction in iOS 15 called « require managed pasteboard » ? Our Apple rep told us that it will block screen capture in managed apps but I just tested it and it doesn't work. Anyone have any luck with that? Thanks

Cedric Lüke (mail@cedric.cc)
2022-07-19 08:39:13

*Thread Reply:* First I've heard that this should prevent screenshots or screen recordings. We are testing it currently for copy & paste restrictions (we don't apply the allowScreenShot key). It does not yet work with Managed Domains in Safari (can't paste from a managed app into any website in Safari, even if it is part of the ManagedDomains list), but that's supposed to be fixed in iOS 16. Another bug is that it prevents pasting a signature from a managed mail account into the signature settings - I should probably open a feedback for this.

Cedric Lüke (mail@cedric.cc)
2022-07-19 08:41:44

*Thread Reply:* And the workaround, as always, is to take a screenshot and then copy the text from the image. Works quite well 😉 But I guess this is what you are trying to prevent.

😆 Woody
Mark Vonk (mark.vonk@dahvo.com)
2022-07-19 09:26:08

*Thread Reply:* Managed pasteboard does not do anything against screenshots. It disallow copy/paste of text from managed apps. It works, but not for Safari managed domains.

Damian (support@expertmobilite.com)
2022-07-19 09:29:05

*Thread Reply:* Thanks for the feedback guys - I was sceptical at best 😉

Cedric Lüke (mail@cedric.cc)
2022-07-19 10:43:05

*Thread Reply:* If you would like to pile on: FB10768591 - requireManagedPasteboard blocks pasting mail signature into managed mail signature setting

Thomas B. (tbosboom@apple.com)
2022-07-25 09:02:34

*Thread Reply:* There is of course the classic restriction to block all screenshots. Although in this day and age one has to wonder - if the employee is intent on exfil of data, they can use a plethora of options including their trusty Xerox machine. Isn’t that more of an HR problem?

Cristino Junior (cristinocdfj@gmail.com)
2022-07-26 01:36:18

@Cristino Junior has joined the channel

Damian (support@expertmobilite.com)
2022-08-02 09:23:43

I don't think this is possible (yet) but is it possible to define a default web browser (Edge for example) for the native iOS mail client using an MDM payload and disallow user from modifying it on the device ? We are currently doing it via Outlook for iOS whereby Edge is forced as default browser via an Intune MAM config policy.

Pierre Michaud (thunderbirt@gmail.com)
2022-08-18 18:15:28

*Thread Reply:* To my understanding, Apple has yet to make available the option for 3rd party MDM vendors to grant admins the ability to set the default browser on a managed iOS device.

Though I have yet to venture into the world of Intune MAMD config, good to know about Outlook + Edge.

Woody (eric.woodland@trust.tc)
2022-08-10 17:58:17

Has anyone found a way to re-push deleted system apps (Apple Mail) via VPP instead of allowing the user access to iCloud/App Store and re-installing it?

Pierre Michaud (thunderbirt@gmail.com)
2022-08-18 18:13:27

*Thread Reply:* Been trying to figure that one out myself. I learned the Mail app cannot be managed using VPP as it cannot leverage the InstallAsManaged key.

This due to the intention of the email account is expected to be managed and not the app when managing an iOS device.

👍 Woody, Govi
Woody (eric.woodland@trust.tc)
2022-08-18 18:14:22

*Thread Reply:* @Pierre Michaud that makes sense. Suppose the only way to prevent this on company assets is to prevent the deletion of apps as a whole (iOS Restriction)

Woody (eric.woodland@trust.tc)
2022-11-30 14:24:35

*Thread Reply:* @Pierre Michaud I believe I saw an MDM feature that would re-push all system apps. I’ll have to check but it may have been MobileIron Cloud/Ivanti Neurons.

👍 Pierre Michaud
Pierre Michaud (thunderbirt@gmail.com)
2022-11-30 17:38:47

*Thread Reply:* @Woody Please keep me posted!

👀 Woody
👍 Woody
Woody (eric.woodland@trust.tc)
2022-11-30 19:44:44

*Thread Reply:* @Pierre Michaud

Pierre Michaud (thunderbirt@gmail.com)
2022-12-01 19:39:28

*Thread Reply:* What?!!? Such a thing exists? Had a chance to try it?

Woody (eric.woodland@trust.tc)
2022-12-01 21:17:21

*Thread Reply:* @Pierre Michaud Apparently! I have not had a chance. Will try it when i have a chance.

👍 Pierre Michaud
Woody (eric.woodland@trust.tc)
2022-12-19 19:33:43

*Thread Reply:* @Pierre Michaud it works!

👍 Pierre Michaud
Woody (eric.woodland@trust.tc)
2022-12-19 19:33:49

*Thread Reply:*

Woody (eric.woodland@trust.tc)
2022-12-19 19:34:33

*Thread Reply:*

Pierre Michaud (thunderbirt@gmail.com)
2022-12-19 19:49:07

*Thread Reply:* Thanks for confirming! Look like I will have to put in an FER with the vendor for my MDM solution :)

🙌 Woody
Woody (eric.woodland@trust.tc)
2022-12-20 16:34:20

*Thread Reply:* Welcome @Pierre Michaud! I was pumped to see it work as well. Can’t believe this has been overlooked by so many vendors.

Elena (elena.catalinadsp@gmail.com)
2022-08-12 10:12:37

@Elena has joined the channel

Mike KT (mpkthun@gmail.com)
2022-08-24 15:14:15

@Mike KT has joined the channel

Woody (eric.woodland@trust.tc)
2022-08-29 14:33:07

Has anyone found a way to prevent devices from streaming over cellular as a whole? Obviously there is the auto-join of WiFi, but is there some feature that would actually enforce every app on a supervised device to use WiFi if more than X data was consumed, etc?

Mathieu Beaugrand (beaugrandma@gmail.com)
2022-08-30 01:23:42

*Thread Reply:* There is a "network usage rules" payload that you can use, but you need to specify each apps that you want to restrict. Alternatively, you can use cloud proxy solutions.

👍 Woody
Woody (eric.woodland@trust.tc)
2022-08-30 01:25:36

*Thread Reply:* @Mathieu Beaugrand I did see that was I was looking around, but it’s similar to specifying allow/deny lists for apps. Would be cleaner if they just supervised these devices and only allowed apps to be installed that they want used. Agree on the cloud-based proxy. My gut says they’d first use Supervision and then if it leans more towards COPE engage a cloud proxy

➕ Thomas B.
Damian (support@expertmobilite.com)
2022-09-01 19:59:29

We have a VIP who keeps getting an incessant pop-up “authorise this device to access photos and videos”. This has happened ever since he connected his device to his laptop. Tried a force restart - nothing works…asked him to connect to iTunes and uncheck some sync options etc in the hope that it might stop but have yet to hear back. Anyone seen this before? Running 15.6.1

Kevin (difilippo.kevin@gmail.com)
2022-09-07 21:18:20

@Kevin has joined the channel

Thomas B. (tbosboom@apple.com)
2022-09-12 07:50:11

Happy iOS 16 day everyone! https://support.apple.com/en-ca/guide/deployment/dep950aed53e/web

Apple Support
🙌 Woody
👍 Govi
💪 Woody
Matt Turner (matt.turner@wnco.com)
2022-10-03 12:35:06

@Matt Turner has joined the channel

Daniel O’ Riordan-Collin (jdor12321@gmail.com)
2022-10-31 14:16:14

@Daniel O’ Riordan-Collin has joined the channel

Prashanth (rprashanth1994@gmail.com)
2022-11-21 14:37:42

@Prashanth has joined the channel

Woody (eric.woodland@trust.tc)
2022-11-30 14:27:23

Trying to remember (it’s been a minute): Migrating from an unmanaged phone to a new device that will go through ABM/DEP: If I opt to restore from an iCloud backup (assuming it is a personal account), would I then be guided into MDM enrollment? What happens to the iCloud account that the restore is initiated from once the startup wizard completes?

Peter Mohr (pm@conscia.com)
2022-11-30 14:29:00

*Thread Reply:* Will this help? https://www.ibm.com/support/pages/dep-ios-backup-and-restore-guide

ibm.com
Woody (eric.woodland@trust.tc)
2022-11-30 14:31:34

*Thread Reply:* Nice @Peter Mohr! Bookmarking that one.

Woody (eric.woodland@trust.tc)
2022-11-30 14:33:43

*Thread Reply:* My only question is… the personal iCloud account that was on the device previously… it continues to exist, yet activation lock/etc would no longer be applicable (due to AMB/Supervision). Correct?

Peter Mohr (pm@conscia.com)
2022-11-30 14:35:17

*Thread Reply:* correct 🙂

💪 Woody
iMZ (mark_zimmermann@me.com)
2022-12-16 18:38:39

Can someone send me the following information ?

• screenvideo for activation of Advanced Data Protection for iCloud • Is the data still available on iCloud.com (and how ) • Will the data be available within privacy.Apple.com • Is this option available for managed Apple ids ? I will pay you 50$ via PayPal if you send me the Infos ….

Ajay Patel (ajay5675@msn.com)
2022-12-18 22:03:53

*Thread Reply:* @iMZ to answer your questions.

1) sorry don’t have a screen recording just yet 2) if enabled, data is NOT available on iCloud.com 3) no the data will not be available as even Apple do not have access to your data. 4) no managed Apple ID’s is not an option.

All answers are in this link - https://support.apple.com/en-us/HT212520

Apple Support
iMZ (mark_zimmermann@me.com)
2022-12-22 21:36:56

*Thread Reply:* 2 is wrong 3 is maybe wrong

Ajay Patel (ajay5675@msn.com)
2022-12-22 21:38:28

*Thread Reply:* Just going by the doc 🤷‍♂️:skintone4: haven’t personally tried it yet

Ajay Patel (ajay5675@msn.com)
2022-12-22 21:39:01

*Thread Reply:* When you say wrong, is it wrong or just not working as per their documentation?

iMZ (mark_zimmermann@me.com)
2022-12-23 16:39:36

*Thread Reply:* You can access data on iCloud.com

Apple transfer the decryptions keys on runtime from the device to display the data within the browser

Jay (vita@akut-hr.de)
2022-12-20 09:34:03

Is there a possibility to push a single contact into the contacts app using a profile?

Nico Hermeling (nico.hermeling@outlook.com)
2022-12-20 22:32:03

*Thread Reply:* What's the use case? Something like a global helpdesk number on all devices? Could be pushed via web clip and deeplink to the phone app so users tap the web clip and it starts the call.

Jay (vita@akut-hr.de)
2022-12-21 08:10:44

*Thread Reply:* Use case would be to share OTP per SMS with the users for example, obviously after they verified the phone number with us. Not so much for calling, really more for texting information in case user password gets reset, as another example

Woody (eric.woodland@trust.tc)
2022-12-20 17:24:20

@Jay I don’t believe so. Closest thing I’ve seen is something like this from @Peter Mohr’s company: http://phonebook.conscia.com/FAQ

Corporate Phonebook
Jay (vita@akut-hr.de)
2022-12-20 17:26:48

Interesting, thank you for sharing!

👍 Woody
Peter Mohr (pm@conscia.com)
2022-12-20 19:37:38

*Thread Reply:* Yeah. Ping me if you need help with this. Should be pretty easy though :-)

:gratitude_thank_you: Jay
👍 Woody
Todd Cole (toddcole13@hotmail.com)
2023-01-04 17:11:27

*Thread Reply:* @Peter Mohr Question about the Corporate Phonebook. I am looking for a solution that I can use to keep a list of contacts that i want to update centrally but my end users can use the contacts in a way that is similar to the native contacts app. Key here is that I need to make sure that the “central office” can specifically control the “company contacts.” The teams already have a company directory (thing big HR managed data, Office 365) but want a tool for the smaller team (think about 70 people) where this regional team’s info is maintained as they rotate throughout the larger company often. I need a way to say ” the person for region a is XXXX” and have the contact info for that be central. Does this make sense and will this app do that?

Peter Mohr (pm@conscia.com)
2023-01-04 18:59:38

*Thread Reply:* The app doesn’t do this 😞 I once looked at this company/product suite…

https://cirahub.com/two-way-contact-sync/

Peter

CiraHub
Todd Cole (toddcole13@hotmail.com)
2023-01-19 18:20:00

*Thread Reply:* Thank you for the recommendation

David Arvidsson (david.arvidsson@outlook.com)
2022-12-21 09:26:28

@David Arvidsson has joined the channel

Steven (steven@pro.incogni.ch)
2022-12-22 08:07:00

Does anyone know if we can disable Apple's Mail Privacy Protection feature remotely ? There is nothing about it in the documentation and I'm afraid it's not possible yet :(

https://developer.apple.com/documentation/devicemanagement/mail

Woody (eric.woodland@trust.tc)
2022-12-22 16:29:37

@Steven which feature in specific? Like Hide My Email?

Steven (steven@pro.incogni.ch)
2022-12-23 07:22:11

*Thread Reply:* @Woody the feature called "Mail Privacy Protection [which] works by hiding your IP address and loading remote content privately in the background". It pops whenever you first launch the Mail app after deploying an EAS payload for the native Mail client. It can also be found in Settings > Mail > Privacy Protection.

👍 Woody
Woody (eric.woodland@trust.tc)
2023-01-03 16:06:24

*Thread Reply:* Ahhh, okay @Steven. I don’t believe I’ve seen a control for that in either Apple Configurator or any of the MDM Payloads.

😞 Steven
Nick (nickdiaz@gmail.com)
2022-12-27 13:54:58

Anyone banning TikTok for BYOD yet? 😉

👀 Woody
Jay (vita@akut-hr.de)
2022-12-27 13:57:09

*Thread Reply:* Is this really becoming a thing? And would you really want to do that on BYOD?

Sharkey (lukesharkey@gmail.com)
2022-12-27 14:37:16

*Thread Reply:* It’s been banned in 18 states in state government devices. But not on BYOD. Use MAM to Protect your data.

Nick (nickdiaz@gmail.com)
2022-12-27 14:40:36

*Thread Reply:* Not reflecting my own views; let me play devil's advocate: "Don't we ban other malware on BYOD, or at least have the MTD trigger non-compliance?"

Sharkey (lukesharkey@gmail.com)
2022-12-27 16:35:07

*Thread Reply:* It’s a slippery slope to go down. If you’re that concerned IMO, don’t do BYOD.

👍 Woody
Mark Vonk (mark.vonk@dahvo.com)
2022-12-27 21:34:44

*Thread Reply:* It really depends on the “data” you want to protect. MAM does not protect you against any of the data TikTok collects, excepts for contacts maybe. If you need to secure for example location data, indeed you might be better off handing out corp phones.

👍 Woody
Joel Prefontaine (joel_prefontaine@outlook.com)
2023-03-01 04:31:26

*Thread Reply:* Following this closely as all Government organizations have establish bans on the app now for their company phones . There must be some one who works with them here . Was it just a blacklisted app in W1 as I thought there was limited capabilities in iOS for this.

Anshu (anshu0710@gmail.com)
2023-01-16 08:15:56

@Anshu has joined the channel

Niklas Jenslöv (niklas.jenslov@gmail.com)
2023-01-17 08:08:52

Hi Friends! Since a while back we get a lot of calls from users who enrolls iOS devices in Workspace One. The apps configured for auto-install (Hub, Outlook, Teams, Authenticator) are shown on the home screen but with a a cloud on the icon. We have seen this before for offloaded apps, or on apps restored from a iCloud backup, but in this case it is new devices just enrolled without any restored backups. Anyone know why?

Jeff Hernandez (Jeff.hernandez@disney.com)
2023-01-20 16:24:12

@Jeff Hernandez has joined the channel

Allison Smith (allison.smith@disney.com)
2023-01-20 16:25:00

@Allison Smith has joined the channel

Dimi (1547@live.co.uk)
2023-01-20 16:46:16

Hey folks do you know if it is possible to migrate devices from one ABM (company A) to another ABM (company B) in some sort of non manual way?

Sharkey (lukesharkey@gmail.com)
2023-01-20 18:12:29

*Thread Reply:* You can either have the vendors who provided all the devices remove them from one and add them to the other. Or you could take all the devices in manually add them through Apple configurator. Depending on how many devices you have to deal with one would be easier than the other, of course. That’s really the only way to do it.

Dimi (1547@live.co.uk)
2023-02-22 14:21:56

*Thread Reply:* We found out at the end that the apple reseller can just move them from one ABM to another with a stroke of a pen. Thanks.

Joel Prefontaine (joel_prefontaine@outlook.com)
2023-03-01 04:28:52

*Thread Reply:* I think you got lucky with the vendor . One having a single source of purchases and then also having them do the work. Seems like a lot of resellers are batting about 500 on the technical expertise and execution.

iMZ (mark_zimmermann@me.com)
2023-01-26 19:14:00

Today Klaus Rodewig held a very interesting #webinar ( https://lnkd.in/e47iefMs ) about the APIs of #Apple #iOS/ #macOS / #tvOS and #watchOS. It was a great opportunity to learn more about the usage of these APIs and to learn from an experienced expert. I am sure that both developers and administrators benefited from this webinar and it will help them to successfully implement their projects.

I was able to help Klaus with the "Shared with you" feature by sending him links to my #Podcasts https://lnkd.in/e4NrcgQE and https://lnkd.in/e9EwTCGX via iMessage, where I had the opportunity to give interviews in 2022.

The #Heise Mac&i Pro offer is not only for #developers, but also #administrators can benefit from the presented content and take away valuable information for their work.

german #content

Die neuen APIs in macOS, iOS, iPadOS, watchOS und tvOS in der Praxis - Das Webinar von mac&amp;i Pro
Apple Podcasts
Apple Podcasts
👍 Govi, Woody
Rajesh Kumar (rajes20@gmail.com)
2023-02-03 14:04:16

Can we supervise the non-ABM device using apple configurator without enrolling into any MDM ...i can see the option to supervise only in apple configurator (dont like to add into ABM or activate & complete the enrollment during supervising the device) but not sure how to enroll into mdm after that so that device can be supervised state into MDM or ABM console.

Steven (steven@pro.incogni.ch)
2023-02-03 16:09:21

*Thread Reply:* Not sure about your question. You can for example supervise a device with Apple Configurator instead of having to enroll it in a MDM. The device gets supervised the same way it would via a MDM. You can even deploy profiles and apps via AC. It can replace a whole MDM in some way.

If you just want to use AC to have your device attached to ABM in order to use Automated Device Enrollment feature with a third party MDM, here is the process : • Link your ABM "Organization" to AC • "Prepare" your device via "Manual configuration" and tick "Add to ASM or ABM" • Let AC add the device to ABM • In ABM, move the device from "Apple Configurator" to your current MDM • Check your MDM for specific actions after adding the device (like assigning a DEP profile) • Enroll your device :)

Rajesh Kumar (rajes20@gmail.com)
2023-02-03 16:13:27

*Thread Reply:* Thank you..we already tried this and able to add into ABM portal with user affinity.

Rajesh Kumar (rajes20@gmail.com)
2023-02-03 16:14:14

*Thread Reply:* But if we just want to supervise the device without adding into ABM portal..will i be able to enroll it later into any MDM

Nico Hermeling (nico.hermeling@outlook.com)
2023-02-03 16:41:42

*Thread Reply:* You need an ABM to get the device supervised. AFAIK it's not possible to do it without ABM. But if it's in ABM you can leave it unassigned so it is not enrolling to any MDM.

Todd Cole (toddcole13@hotmail.com)
2023-03-06 16:20:54

*Thread Reply:* Why do you need supervision? it only get you access to a few more profile commands? Maybe the passcode reset?

👍 Thomas B.
Mark Polette (polette.m@pg.com)
2023-03-09 20:09:55

*Thread Reply:* Yes, you can supervise a device only via Apple Configurator and then manually enroll later into MDM. We have done this with many devices.

Anton T (anton.tuev@thegema.eu)
2023-02-14 11:46:09

@Anton T has joined the channel

Kevin Aulbach (kevin.aulbach@thegema.eu)
2023-02-14 12:20:18

@Kevin Aulbach has joined the channel

David S (David.Shields@Sci-us.com)
2023-02-14 17:12:38

@David S has joined the channel

Katja H (katja.hakoneva@goto.com)
2023-02-15 12:45:59

@Katja H has joined the channel

Bhavesh (bhavesh0508@gmail.com)
2023-02-15 16:48:26

@Bhavesh has joined the channel

Björn Kemps (bk@mob.co)
2023-02-15 20:58:43

@Björn Kemps has joined the channel

Tobias Jul Kastrup (tjk@conscia.com)
2023-05-11 09:48:49

@Tobias Jul Kastrup has joined the channel

Ryan Grimm (rgrimm@weismarkets.com)
2023-05-18 15:21:30

@Ryan Grimm has joined the channel

Damian (support@expertmobilite.com)
2023-05-22 08:47:24

Hi folks, anyone know where this is coming from? I’ve seen it the past few months only but disabling certain mobile data options doesn’t make it disappear. Some users click the option to use mobile data by mistake but I’m guessing that there is no MDM option to disable the use of mobile data probably to ensure that devices receive the update one way or another…

Peter Mohr (pm@conscia.com)
2023-05-22 09:20:22

*Thread Reply:* It’s an iOS feature controlled by the carrier settings of each iOS build

👀 Woody
Damian (support@expertmobilite.com)
2023-05-22 09:30:43

*Thread Reply:* Oh really? Where did you get that info? 😉

Peter Mohr (pm@conscia.com)
2023-05-22 09:31:53

*Thread Reply:* From Apple… we had a private session with them about carrier settings in general 🙂

👍 Damian, Woody, Thomas B.
Damian (support@expertmobilite.com)
2023-05-22 09:35:17

*Thread Reply:* Nice, I’ll fire off a quick email to our account team to see what they come back with! Any particular reason they have for implementing this other than the one I mentioned?

Mark Vonk (mark.vonk@dahvo.com)
2023-05-22 20:56:09

*Thread Reply:* Weird though, as I see it only on iPad and never on iPhone, same carrier network on the devices... can it be targeted towards certain device types

Peter Mohr (pm@conscia.com)
2023-05-22 21:52:06

*Thread Reply:* Carrier Settings is per device model. Each model has their own so iPhone 8 can be different from iPhone X etc. you can download the ipsw files for each model and check the settings for each carrier if you care to :-)

Amine (amine.ayad@gmail.com)
2023-06-08 08:25:44

*Thread Reply:* Hi Peter, can you please explain how I can check those settings on an IPSW file? I tried looking into its files but couldn’t find any carrier-related setting.

Thomas B. (tbosboom@apple.com)
2023-07-06 15:22:32

*Thread Reply:* On more recent iOS versions (15.4 or later) , the old carrier size limit for OS updates on cellular in the carrier configuration is no longer applied.

Peter Mohr (pm@conscia.com)
2023-07-07 07:34:04

*Thread Reply:* @Amine the carrier bundle extraction flow looks something like this:

1) Download .ipsw 2) Rename to .zip 3) Unpack 4) Find largest .dmg inside folder 5) Mount .dmg 6) Look into /System/Library/Carrier Bundles/ folder in the mounted volume 7) TDC DK is called: TDC_dk.bundle (Find your own carrier… 🙂 ) 8) Copy .bundle. Rename to .zip Unpack…

Peter Mohr (pm@conscia.com)
2023-07-07 07:38:42

*Thread Reply:* @Thomas B. this is still a carrier setting under carrier control but you’re correct that carrier setting are no longer send to device “out-of-band”. Now they are only pushed as part of iOS updates

Thomas B. (tbosboom@apple.com)
2023-07-07 11:45:41

*Thread Reply:* The values no longer have the effect they had - some customers have been surprised by the change… It makes sense though, the ability so set the limits that made sense in 2007 for iPhone doesn’t really apply anymore in 2023 where data is abundant.

Peter Mohr (pm@conscia.com)
2023-07-07 11:47:00

*Thread Reply:* The limits are STILL in effect if the telco choose to have it so. TDC in Denmark still limits the downloads and the OS updates on cellular. The other carriers in DK have removed their limits…

Thomas B. (tbosboom@apple.com)
2023-07-11 07:53:42

*Thread Reply:* Thanks for that detail! I had only heard from 1 carrier in the US so far still enforcing any limit, but I’ll take your local expertise. The challenging part for me is that most carrier employees won’t have knowledge of this mechanism nor their setting, so for me, the changes with 15.4 have been a great help.

Rob Knight (robert.knight@losingthewires.com)
2023-05-26 11:45:48

@Rob Knight has joined the channel

CDH (chewinson@yieldstreet.com)
2023-06-07 17:04:17

@CDH has joined the channel

Govi (byodmdm@gmail.com)
2023-07-17 05:35:22

any blog about the new features of Apple User Enrollment with iOS17.X ?. please share the link details.

Woody (eric.woodland@trust.tc)
2023-07-19 19:10:33

Get ready…

✅ Jay, Nick Knight, Mark Vonk, Damian, Steven
🙌 Thomas B.
iMZ (mark_zimmermann@me.com)
2023-07-27 18:29:07

*Thread Reply:* ?

Woody (eric.woodland@trust.tc)
2023-07-27 18:30:11

*Thread Reply:* Update yer T&Cs in ABM @iMZ 🙂

Boe (bkelley1982@gmail.com)
2023-07-20 14:27:36

So random question for you all, what is the best way to allow staff to free up storage on a device once it starts to fill up? Every now and again I get a request saying the storage is low and we just remotely remove and reinstall the apps (yes our techs could manually do this but they seem to struggle with it) so curious what other options people use?

Thomas B. (tbosboom@apple.com)
2023-07-25 12:37:28

*Thread Reply:* Are these personally enable (i.e. COPE) devices? In that case i’d probably direct the user to https://support.apple.com/HT201656 and start there to figure out where the space is used.

Apple Support
iMZ (mark_zimmermann@me.com)
2023-07-27 18:31:06

Is there an MdM out there with watchOS management (beta) ?

Damian (damian_mcmahon@icloud.com)
2023-07-28 15:28:17

@Damian has joined the channel

Damian (damian_mcmahon@icloud.com)
2023-07-28 15:31:53

Hi folks,

Anyone here seeing issues with iOS devices not communicating updated information with MDM? In particular, the OS version? Our helpdesk has received quite a few cases recently because our compliance policy is sending out mails to tell users to update their iOS but it’s already updated on the device. There are also quite a few commands waiting under the troubleshooting section - rebooted device, changed network, reset network settings but still nothing…this reminds of the issue with the empty samples for certificates not sent to MDM (in our case WS1) which then revoked the cert…

I can also see a “not verified” message in red on the MDM profile…

Boe (bkelley1982@gmail.com)
2023-07-28 18:00:52

Is there a way via an MDM to prevent Safari from storing passwords?

Mark Vonk (mark.vonk@dahvo.com)
2023-07-30 08:04:41

*Thread Reply:* Yes there is a password autofill restriction: https://support.apple.com/en-euro/guide/deployment/dep0f7dd3d8/web

Apple Support
iMZ (mark_zimmermann@me.com)
2023-07-29 17:14:25

Has anyone tried Mdm with watchOS 10 yet?

Thomas B. (tbosboom@apple.com)
2023-10-05 12:50:44

*Thread Reply:* For those interested to try, Mosyle has this in their beta feature set now that you can easily opt-in to. Makes for a fun test.

Stephen Wilk (smwilk1990@gmail.com)
2023-08-04 16:25:41

@Stephen Wilk has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2023-08-22 14:58:56

Our CISO has some issues with deploying user certificates to iOS devices because of the possibility that someone who would have access to the phone could export the certificate and use it. Our phones are passcode protected anyway, but let’s say someone would have physical access to the phone, could they export the user certificates which have been deployed via MDM? Is there a technical way or will Apple prevent that anyway?

Peter Mohr (pm@conscia.com)
2023-08-22 15:01:37

*Thread Reply:* Only Apple apps/processes have access to the keychain where the certs are store. So no!

👍 Woody
Mikey2000 (mscottscranton079@gmail.com)
2023-08-22 15:12:15

*Thread Reply:* Gotcha. Except „Jailbreaking“ or using OS vulnerabilities

Peter Mohr (pm@conscia.com)
2023-08-22 15:12:45

*Thread Reply:* true, but then you can never trust your devices and shouldn’t use them for anything 🙂

👍 Daniel, Woody
Mikey2000 (mscottscranton079@gmail.com)
2023-08-22 15:13:00

*Thread Reply:* True that! 😃

Todd Cole (toddcole13@hotmail.com)
2023-08-22 21:09:26

*Thread Reply:* This might be helpful info on how keychain works: https://support.apple.com/guide/security/keychain-data-protection-secb0694df1a/1/web/1

Apple Support
Todd Cole (toddcole13@hotmail.com)
2023-08-22 21:10:14

*Thread Reply:* The larger Data protection section is also very informative on how all the crypto works.

Thomas B. (tbosboom@apple.com)
2023-10-05 12:49:42

*Thread Reply:* You could look into ACME and Managed Device Attestation with Secure Enclave backed certificates - those are the ultimate answer for this type of concern.

Classic MDM deployed certificates can be included in the backup, so blocking backup (and data access via USB in general) would be one measure to consider as an intermediate step.

I’d also be interested to understand the risk perspecive - even if the CISO threat model includes an employee that is actively subverting security controls, I don’t believe technical controls would be the appropriate answer necessarily…

Andrew (aj4x@icloud.com)
2023-08-31 20:45:46

Does anyone know what the Bundle ID for the iOS Captive Portal is?

Mark Vonk (mark.vonk@dahvo.com)
2023-09-01 11:21:47

*Thread Reply:* Isn’t that just a Safari webview?

Andrew (aj4x@icloud.com)
2023-09-05 23:57:15

*Thread Reply:* That’s was my thought. However, unlike other Safari webview and WebKit prompts, when I pull up the Captive Portal I don’t see an entry in my console logging like this:

FilterControlExtension Flow seen with Remote Endpoint 13.107.21.200:443, protocol: 6, AppID: .com.apple.mobilesafari, AppVersion 16.6, URL: https://www.bing.com/, Result: Blocked

We have a plug-in Content Filter that can allow or block traffic to apps and websites. Pretty much any app bundle ID appears in the logging. Seeming all but the Captive Portal.

Mark Vonk (mark.vonk@dahvo.com)
2023-09-06 06:04:09

*Thread Reply:* Com.apple.captive and com.apple.WebKit.WebContent.CaptivePortal show up in my searches

Andrew (aj4x@icloud.com)
2023-09-07 20:26:44

*Thread Reply:* I think I’ve got this solved. Our logging was not picking up NEFilterBrowserFlow traffic. A little tweak to that and we get: com.apple.Websheet

So, for anyone encountering something like this com.Apple.Websheet is the App ID the Captive Portal is using.

Mark Vonk (mark.vonk@dahvo.com)
2023-09-07 20:33:04

*Thread Reply:* 👍 thanks

Ajay Patel (ajay5675@msn.com)
2023-09-02 14:43:17

Does anyone know if you can assign Azure federation with ABM for multiple Azure domains? E.g. we want to add our test tenant and domain for shared iPad managed Apple IDs

Almar Diehl (almar.diehl@blaud.com)
2023-09-02 14:50:57

*Thread Reply:* https://support.apple.com/nl-nl/guide/apple-business-essentials/axm8c1cac980/web#:~:text=Multiple%20domains%20can%20be%20federated,authority%20to%20federate%20the%20domain|https://support.apple.com/nl-nl/guide/apple-business-essentials/axm8c1cac980/web#:~:text=Multiple%20domains%20can%20be%20federated,authority%20to%20federate%20the%20domain.

Apple Support
Ajay Patel (ajay5675@msn.com)
2023-09-02 15:17:02

*Thread Reply:* Thanks Almar must have overlooked that. But looks like the answer is no as we have two seperate tenants

Peter Mohr (pm@conscia.com)
2023-09-02 19:26:12

*Thread Reply:* yeah. then you need two ABMs

Bruce (bpayne@mobileiron.com)
2023-09-05 12:55:36

@Bruce has joined the channel

Damian (damian_mcmahon@icloud.com)
2023-09-06 08:16:59

Anyone here seen an issue whereby under General/About/Network there is a message « Phone not allowed » ? The issue we are seeing is that the network connectivity is fine for a few mins/hours and then it throws this message. Multiple SIM cards tested - same issue. Apple contacted and device is not reported as stolen/lost/blacklisted. We tried the usual - erase content and settings etc…strange one!

Greig Menzies (greig.menzies@intel.com)
2023-09-08 07:43:30

@Greig Menzies has joined the channel

Rob B (robtb1990@gmail.com)
2023-09-08 14:18:24

Anybody else use Global Protect on iOS devices with a per app vpn configuration? If so have you noticed any issues with the time it takes to complete HIP checks?

Just very recently all of a sudden GP seems to take forever to complete it's HIP checks before it allows traffic through. Users open in-house dev'd app, app tries to go to IDP for login but it can take 2-3 minutes before GP allows the traffic through.

Never has been an issue until last week. But networking is telling me the speed of completing the HIP checks is just based on the processing power of the device it's on. But if the same devices worked fine for the last year up until just last week I'm not sure how that means the devices are the root cause.

Damian (damian_mcmahon@icloud.com)
2023-09-13 10:19:20

Hi folks, anyone aware of what this means? I can’t really find any other info on this. Thanks https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/GettingReadyForAppleReleases/GUID-GettingReadyforAppleReleases2023.html

docs.vmware.com
Rajesh Kumar (rajes20@gmail.com)
2023-09-13 14:31:39

Looks like Apple found new Zero day V with older ios version and requesting customer to update to v16.6.1

Rajesh Kumar (rajes20@gmail.com)
2023-09-13 14:32:03

And apple ios Version 17 is also coming in 2 weeks

Rajesh Kumar (rajes20@gmail.com)
2023-09-13 14:32:28

Apple OS version is also not stable now.

Rajesh Kumar (rajes20@gmail.com)
2023-09-13 14:34:03

How you guys enforcing iOS updates to ios users who are using unsupervised devices ...with intune MDM. Except enforcing compliance policy and push notification or emil..

Mark Vonk (mark.vonk@dahvo.com)
2023-09-13 16:48:20

*Thread Reply:* For unsupervised devices there is not much you can do except mark those non-compliant and block email, etc if these Intune enrolled. Otherwise enforce the iOS version using the MAM application protection policy.

Rajesh Kumar (rajes20@gmail.com)
2023-09-14 01:06:44

*Thread Reply:* Yup.. its sad.

Rajesh Kumar (rajes20@gmail.com)
2023-09-13 14:34:33

Is there any other way to enforce updates to unsupervised devices via intune mdm

Sharkey (lukesharkey@gmail.com)
2023-09-13 14:43:05

Are they enrolled in intune? Or just using app protection policies?

Rajesh Kumar (rajes20@gmail.com)
2023-09-14 01:05:56

Its enrolled into intune as Company owned device using Company portal app

Sharkey (lukesharkey@gmail.com)
2023-09-14 01:10:43

If it’s not supervised then all you can do is enforce compliance policies really.

Nick Knight (arpknight@gmail.com)
2023-09-21 12:42:32

And don't forget the conditional launch for app protection policies - you can specify minimum os version.

Damian (damian_mcmahon@icloud.com)
2023-09-26 16:28:53

https://kb.vmware.com/s/article/94814?lang=enUS&queryTerm=94814|https://kb.vmware.com/s/article/94814?lang=enUS&queryTerm=94814

kb.vmware.com
😬 Woody
Steven (steven@pro.incogni.ch)
2023-09-28 10:47:36

*Thread Reply:* I tend to always disable Compromised Protection no matter what. It's the same story for each major iOS release 😐

👆 Matt Dermody
Damian (damian_mcmahon@icloud.com)
2023-09-28 11:13:34

*Thread Reply:* You mean turn it off temporarily until VMware release the fix or off altogether ?

Steven (steven@pro.incogni.ch)
2023-09-28 11:56:55

*Thread Reply:* Off all the time !

👆 Matt Dermody
Damian (damian_mcmahon@icloud.com)
2023-09-28 15:13:42

*Thread Reply:* Isn’t that a security risk?

Steven (steven@pro.incogni.ch)
2023-09-28 15:22:55

*Thread Reply:* You can use Compliance Policies instead. Same detection of compromised devices, but you decide what are the actions instead of a default "device wipe" from Compromised Protection setting.

Damian (damian_mcmahon@icloud.com)
2023-09-29 15:03:18

*Thread Reply:* Yep, i just checked and this is actually what we do (use a compliance policy and disable this setting)

Kyle (muenker.k@pg.com)
2023-09-27 18:33:16

@Kyle has joined the channel

Bruce (bruciebonus41@gmail.com)
2023-09-28 10:49:53

@Bruce has joined the channel

Jorge Bayán (jorge.bayan@externos.correo.gob.es)
2023-10-06 09:06:27

@Jorge Bayán has joined the channel

Joey Ketels (jketels@vmware.com)
2023-10-06 13:24:51

@Joey Ketels has joined the channel

Adrian (chirashisushisashimi@gmail.com)
2023-10-31 14:28:32

@Adrian has joined the channel

Josh Schofield (josh.schofield@gmail.com)
2023-11-01 14:13:24

@Josh Schofield has joined the channel

Daniel (d.weber@netze-bw.de)
2023-11-06 19:32:46

Hi everyone, is anyone using Citrix SSO (Citrix Secure access) for per-app-vpn functionality on Apple iOS Devices? Since iOS 17.1 and/or app update 23.11.1 (738) we are noticing that the app is listed in the battery overview with 47% background activity even on unused devices. My test device is showing 2h 36min background activity for the Citrix app where “Screen off” time is 2h 39min. Anyone else noticing battery draining on iOS 17.1 and/or Citrix SSO app?

Damian (damian_mcmahon@icloud.com)
2023-11-06 20:16:07

*Thread Reply:* We had a similar issue with the VMware tunnel app for iOS which got stuck on the DTLS channel when the merge between TCP/UDP channels failed. The client was not intelligent enough to recognize and terminate the session thus became stuck in a loop consuming battery power in the process. It might be something similar with your Citrix client ?

😲 Daniel
Daniel (d.weber@netze-bw.de)
2023-11-06 20:21:03

*Thread Reply:* Interesting. Thanks for your reply! Had a look into the client logs and it seems to listen to any system broadcast where the device is stating “awake”. However, I’m 100% sure that the device has been on my desk during the night 😄

And, in regards to your path: "DTLS Mux setup timed out. No response from NSG? [Nov 2, 2023 at 11:20:49 PM GMT+1] <Debug>: Control channel creation successful. [Nov 2, 2023 at 11:20:49 PM GMT+1] <Debug>: controlChannel Fd 11 and stream <NSGIoStream: 0x1032a61e0> [Nov 2, 2023 at 11:20:49 PM GMT+1] <Debug>: Control Channel stream is <NSGIoStream: 0x1032a61e0> [Nov 2, 2023 at 11:20:49 PM GMT+1] <Debug>: Creating DTLS MUX [Nov 2, 2023 at 11:20:49 PM GMT+1] <Debug>: Control connection setup successful. GW: <PUB-IP> [Nov 2, 2023 at 11:20:49 PM GMT+1] <Debug>: NSGTunnelParameters - Updating tunnel status from 3 to 3 [Nov 2, 2023 at 11:20:49 PM GMT+1] <Debug>: [C261 <PUB-IP>:443 udp, tls, attribution: developer, path satisfied (Path is satisfied), viable, interface: en0[802.11], scoped, ipv4, dns, uses wifi] transition to preparing [Nov 2, 2023 at 11:20:49 PM GMT+1] <Debug>: [C254 <PUB-IP>:443 udp, tls, attribution: developer, path satisfied (Path is satisfied), viable, interface: en0[802.11], scoped, ipv4, dns, uses wifi] transition to preparing [Nov 2, 2023 at 11:20:50 PM GMT+1] <Debug>: DTLS Mux setup timed out. No response from NSG? [Nov 2, 2023 at 11:20:50 PM GMT+1] <Debug>: setting Control channel <NSGIoStream: 0x1032a61e0> read handler [Nov 2, 2023 at 11:20:50 PM GMT+1] <Debug>: [C261 <PUB-IP>:443 udp, tls, attribution: developer] cancelled [Nov 2, 2023 at 11:20:52 PM GMT+1] <Debug>: Device going to sleep, tunnel status 3. [Nov 2, 2023 at 11:20:52 PM GMT+1] <Debug>: No current connections [Nov 2, 2023 at 11:23:49 PM GMT+1] <Debug>: Device wake up from sleep, tunnel status is 3. [Nov 2, 2023 at 11:23:49 PM GMT+1] <Debug>: No current connections [Nov 2, 2023 at 11:23:49 PM GMT+1] <Debug>: PacketTunnelProvider: (0) Re-establishing control channel because of a system wake event. (networkIsDown: 0) [Nov 2, 2023 at 11:23:49 PM GMT+1] <Error>: checkConnectivity - connect result = -1 (errno=36) [Nov 2, 2023 at 11:23:49 PM GMT+1] <Debug>: Connectivity check. select() call return value = 1 [Nov 2, 2023 at 11:23:49 PM GMT+1] <Debug>: Trying to re-establish control channel. [Nov 2, 2023 at 11:23:49 PM GMT+1] <Debug>: NSGControlChannel - Appending HTTP headers [Nov 2, 2023 at 11:23:49 PM GMT+1] <Debug>: NSG control Channel Request: [HTTP REQUEST ...]

Tommy Le (tommy.hai.le@gmail.com)
2023-11-09 11:07:01

@Tommy Le has joined the channel

Woody (eric.woodland@trust.tc)
2023-11-14 20:46:39

Hey Gang -- Anyone noticing devices added via Configurator are listed in the ABM/ASM Assignment History, but aren't actually shown as a device that you can find?

Sharkey (lukesharkey@gmail.com)
2023-11-15 03:52:07

*Thread Reply:* This was happening to me today too. But it finally resolved itself.

👍 Woody
Woody (eric.woodland@trust.tc)
2023-11-16 01:54:47

*Thread Reply:* Yeah -- I left a device in the system overnight and it worked itself out. Sort of frustrating, but at least it self-resolved.

Mark Vonk (mark.vonk@dahvo.com)
2023-11-16 09:55:27

*Thread Reply:* Happened to me yesterday too. After a couple of hours, the device showed up in ABM

👍 Woody
Woody (eric.woodland@trust.tc)
2023-11-14 20:53:24
Woody (eric.woodland@trust.tc)
2023-11-14 20:53:35

It shows that it adds successfully

Woody (eric.woodland@trust.tc)
2023-11-14 20:56:37

but then nothing appears for said SN:

Probo (cody.higgins@trust.tc)
2023-11-14 21:57:36

@Probo has joined the channel

Ajay Patel (ajay5675@msn.com)
2023-11-29 17:23:28

General Apple question - I am right in assuming that there is no way to connect to Wi-Fi via QR code etc during device privisioning (ABM/DEP) like there is with Android? I’m pretty sure I know the answer but just wanted to be certain I’m not missing a trick

Damian (damian_mcmahon@icloud.com)
2023-12-04 21:20:39

Just a quick heads up for everyone! I’d advise you all to check your iOS fleet as we’ve lost mgmt on approx 3000 devices out of 60,000 ! Symptoms: devices are no longer communicating with our MDM provider (WS1 in our case). After exhaustive troubleshooting, multiple sysdiagnose and many months of back and forth between us and also VMware and Apple engineering, it seems that there are multiple issues on both the APNS side (notifications dropped/lost) and also the device side whereby connections to the MDM are being refused by iOS due to an SSL pinning issue related to non-trust of GoDaddy root/intermediate certs. Keep me posted as I’d be interested in everyone’s feedback here.

👀 Thomas B.
Peter Mohr (pm@conscia.com)
2023-12-05 07:41:15

*Thread Reply:* wow @Damian not good! Keep us posted if you can

‼️ Jay, Woody
jon towles (jontowles@gmail.com)
2023-12-05 12:53:38

*Thread Reply:* Sounds like the godaddy certs just need to be added into ssl pinning in the console

Damian (damian_mcmahon@icloud.com)
2023-12-05 13:01:16

*Thread Reply:* Well, those certs are present in the Apple native cert store so I don’t see why iOS is complaining. What would putting them in the ssl pinning section of the console help in any way?

jon towles (jontowles@gmail.com)
2023-12-05 13:03:47

*Thread Reply:* Has nothing to do with the device itself. In the ws1 console you have pinning setup with the full chain and it tells the client device who the issuers are. The client is being told who the exact certificates are and to not trust anything else

👀 Woody
jon towles (jontowles@gmail.com)
2023-12-05 13:04:18

*Thread Reply:* So if you have a pinning issue it is most likely the pinning configuration

👀 Woody
jafullersr (jafuller@starbucks.com)
2023-12-08 00:08:21

*Thread Reply:* APNs doesn't use WS1 cert pinning though.

jafullersr (jafuller@starbucks.com)
2023-12-08 00:09:21

*Thread Reply:* The MDM Push certificate portal is managed by Apple. If they're not trusting the MDM commands from a service that's using their own certificate for APNs, that's really bad.

Cedric Lüke (mail@cedric.cc)
2023-12-15 08:53:05

*Thread Reply:* We also see that an (increasing?) number of devices are no longer reporting their iOS version or installing profiles. Did anyone identify a solution for devices no longer communicating via the MDM protocol that does not involve a device wipe and re-enrollment? (WS1 MDM)

Damian (damian_mcmahon@icloud.com)
2023-12-15 10:25:23

*Thread Reply:* We have been on a bridge every 2 days with Apple/VMware since a month and they have yet to pin point the issue or issues.

According to the APNS team, the device is seen as offline as the device token is no longer active from the « topic » that is created to process the notifications. The reason behind this is apparently due to a malformation of the request sent by UEM that the APNs refuses…so for now VMware and Apple are battling it out!

Another issue is that post reboot, the device is supposed to (as per design) checkin to the MDM but this is not happening either.

Damian (damian_mcmahon@icloud.com)
2023-12-15 10:27:31

*Thread Reply:* Here are the associated logs:

Registration of the topic:

2023-12-07 13:19:46.021805 0100 0x892 Default 0x0 134 apsd: (apsd) [com.apple.apsd:connectionServer] Creating server: with connectionPortName: com.apple.aps.managedconfiguration.mdmdpush-prod user:

Errors:

Line 1303: 2023/12/07 12:50:28.753 DE02PCN1549GA1 11901f8f-4e80-4dbd-a5a6-ca922631a8f6 [] (53) Error AW.Messaging.FastLaneAPNSMessageChannel.PublishBundleAsync FastLaneAPNSOutbound - Failed to send APNs message for device 86780. CertId:, ResultCode:Suspended, TaskStatus: RanToCompletion

Line 1306: 2023/12/07 12:50:28.753 DE02PCN1549GA1 11901f8f-4e80-4dbd-a5a6-ca922631a8f6 [] (53) Error AW.Messaging.FastLaneAPNSMessageChannel.PublishBundleAsync FastLaneAPNSOutbound - APNs Error. StatusCode:410, DeviceId:86780, The device token is no longer active for the topic.Unregistered Method: AW.Messaging.FastLaneAPNSMessageChannel.PublishBundleAsync;

Cedric Lüke (mail@cedric.cc)
2023-12-15 12:06:18

*Thread Reply:* Thanks, that sounds like it could be fixed by VMware at least. Can you share the Apple and VMware ticket numbers?

Damian (damian_mcmahon@icloud.com)
2023-12-15 12:54:10

*Thread Reply:* It’s a strange one as it’s only 3000 devices (5% of our fleet) that is affected. I’m wondering how these packets become malformed…

Damian (damian_mcmahon@icloud.com)
2023-12-15 12:55:22

*Thread Reply:* We have our own individual incidents raised on each side but there is a collaborative incident between Apple and VMware regarding this. I’ll fish it out and send across in a bit.

jafullersr (jafuller@starbucks.com)
2023-12-21 22:49:36

*Thread Reply:* This is a difficult one, @Damian I am curious to hear the resolution.

Damian (damian_mcmahon@icloud.com)
2024-01-08 19:15:39

*Thread Reply:* Hello and Happy New Year folks.

Ok. So basically Apple rolled out a fix in 17.1 to address the cert chain issue that prevented the devices from checking in to UEM.

https://support.apple.com/en-gb/HT213892

This helped to solve 1/4 devices according to our tests but most never recovered. Apple then told us that the device token issued by the MDM was changed by iOS. I asked why and when that happens but was told it’s proprietary information related to the security of the device. Typical…so for these remaining impacted devices, what happened was that the packet sent by UEM to the APNS never reached the device because the token on the device side didn’t match the one on APNS. It seems that at some point when the first issue related to the certs was present that the device token changed and was unable to inform UEM. This then meant that the device was unable to recover and became stuck in a limbo state. A small number recovered which means that their device token didn’t change and thus when they upgraded to 17.1 the MDM accepted the connection. This is what I find strange that in all the months when many of these devices were cut off from MDM that their device token didn’t change??? Again Apple won’t tell us…so I smell bullshit…so basically we need to reenrol 3000 devices to solve the issue hoping it doesn’t happen again…again no guarantee from Apple…

Apple Support
jon towles (jontowles@gmail.com)
2024-01-08 20:01:06

*Thread Reply:* If it lost the apns certificate that tracks

Damian (damian_mcmahon@icloud.com)
2024-01-08 20:04:32

*Thread Reply:* It’s not the APNS cert but the device token that is used by APNS to identify it

jafullersr (jafuller@starbucks.com)
2024-01-16 17:28:39

*Thread Reply:* WOW. 😳

Damian (damian_mcmahon@icloud.com)
2024-01-16 18:09:41

*Thread Reply:* Yep insane…not even a guarantee that the issue could rear its ugly head again and even why this token changed for a certain number of devices and not for others which were all offline with the same issue…

Damian (damian_mcmahon@icloud.com)
2024-01-22 17:43:25

*Thread Reply:* Ok, so after insisting that they stop taking the piss re their proprietary info argument, Apple has theorised that the device token change happened during the 1st issue with the certificate chain when the device was offline because the security posture of iOS changed - they are guessing that it was due to an invalid MDM installation found but cannot be sure as they didn’t have the logs at the exact time it was changed. You couldn’t make this shit up!

Damian (damian_mcmahon@icloud.com)
2024-01-22 17:44:43

*Thread Reply:* So, cue reenrollment for approx 1000 devices…

jon towles (jontowles@gmail.com)
2023-12-05 12:52:45

@jon towles has joined the channel

👋 Thomas B.
Damian (damian_mcmahon@icloud.com)
2023-12-14 14:49:44

Word out is that 17.2 is a mess and causing lots of issues with contact sync crashing apps. Anyone seeing this? We already have a few incidents raised since the release…

Peter Mohr (pm@conscia.com)
2023-12-14 15:13:58

*Thread Reply:* haven’t seen anything yet

Peter Mohr (pm@conscia.com)
2023-12-14 15:14:29

*Thread Reply:* 40,000 iOS devices are upgraded to 17.2 now….

Damian (damian_mcmahon@icloud.com)
2023-12-14 15:18:00

*Thread Reply:* It seems to only be impacting users with a lot of contacts…

Peter Mohr (pm@conscia.com)
2023-12-14 15:18:25

*Thread Reply:* like how many? I have 2000 contacts and no issues so far

Damian (damian_mcmahon@icloud.com)
2023-12-14 18:51:06

*Thread Reply:* It’s a lot more than that apparently - some VIP users have 20,000 - yeah I know it’s ridiculous but you know how it is…will keep you posted if anything else happens but I just had 2 apps crash on me - intelligent Hub and Planner and I haven’t seen crashes in a long time…

Damian (damian_mcmahon@icloud.com)
2023-12-14 20:38:31
Damian (damian_mcmahon@icloud.com)
2023-12-14 20:40:36

*Thread Reply:* Our CEO has just been impacted and I believe he doesn’t have that many contacts, just a few hundred. We’ve just gone ahead and communicated internally on this and opened a critical case with Apple. Strange that no one here is reporting this…

Amine (amine.ayad@gmail.com)
2023-12-15 10:10:03

*Thread Reply:* Interesting. I had a ticket open for a customer for 6 months with Apple for a high data usage issue related to Contacts (iOS was using GBs of data toward gmdf.apple.com as soon as the Contacts list had few thousands entries). They fixed it with 17.2, but it seems they broke something else…

Daniel Hooper (dhooper@gold.net.au)
2023-12-20 03:34:02

@Daniel Hooper has joined the channel

Daniel Skaaning (daniel_skaaning@hotmail.com)
2024-01-15 19:38:26

Apple School Manager and password Policy Is it possible to differentiate automatically password policy assignments on Managed Apple ID (Federated Azure users), meaning users with specific domain will automatically be assigned password policy with 6 digit and another domain with default 8 char (number and letters)? Or differentiate assignment on specific user attribute value? Thanks in advance, Daniel

Govi (byodmdm@gmail.com)
2024-01-16 06:47:43

Need your advise about Apple "New -> Account-Driven 'Device' Enrollment flow" , have you tried this or already implemented this ?. if yes this enrollment can convert a standalone device in to Supervised Device after activation ?. #ios_general #apple

Jeremy (jeremy@bodokh.com)
2024-01-16 07:33:16

The device will not be supervised if I remember correctly

Govi (byodmdm@gmail.com)
2024-01-16 07:35:15

This attached information i can see in their presentation. Hence would like to clarify...

Florent N. (Florent.NOSARI@econocom.com)
2024-01-16 07:48:12

*Thread Reply:* It is really strange, I don't think it can be supervised like this as you have to go to settings to enroll with account-driven enrollment

👀 Govi
Jeremy (jeremy@bodokh.com)
2024-01-16 07:52:09

*Thread Reply:* I wonder if it might me different for Mac and iOS devices

👍 Govi
Govi (byodmdm@gmail.com)
2024-01-16 07:54:22

*Thread Reply:* sure, but how to clarify ?. anyone already testing the ADDE ?. if so can share the view ?.

Jeremy (jeremy@bodokh.com)
2024-01-16 07:57:54

*Thread Reply:* Actually it seems that there are still some limitations with ADDE for example you can’t see or managed the apps in the user side

👍 Govi
Jeremy (jeremy@bodokh.com)
2024-01-16 07:59:04

*Thread Reply:* But you also get full access rights on the device

👍 Govi
Jeremy (jeremy@bodokh.com)
2024-01-16 08:06:37

*Thread Reply:* If I remember correctly you also get the same limitations as UE, you cannot ask for management of an already installed application, so users will have to remove the app and the MDM can then prompt for installation, and if you remove the ADDE account the device is not enrolled anymore

:upvote: Govi
Florent N. (Florent.NOSARI@econocom.com)
2024-01-16 09:20:20

*Thread Reply:* Any idea what mdm support it? I cannot find doc for Ivanti, Intune and WSO

Govi (byodmdm@gmail.com)
2024-01-16 09:21:12

*Thread Reply:* we need to know deeper about ADDE possibilities and cons... ! trying to get , let me share some update once i get some information...

Jeremy (jeremy@bodokh.com)
2024-01-16 09:35:23

*Thread Reply:* we don’t support it, but I should be able to easily test this with our own MDM

🙏 Govi
Govi (byodmdm@gmail.com)
2024-01-16 10:38:22

*Thread Reply:* please do share when you know the results.

Thomas B. (tbosboom@apple.com)
2024-01-16 14:10:02

*Thread Reply:* With iOS, ADDE does not result in Supervised devices, similar to Profile based device enrolment would do. With macOS is does, with the noted exceptions. This was documented in pretty good detail in the release notes PDF available through AppleSeed beta testing program IIRC.

👍 Jeremy, Govi
Thomas B. (tbosboom@apple.com)
2024-01-16 14:14:53

*Thread Reply:* It’s now also in the Deployment guide - https://support.apple.com/en-gb/guide/deployment/depd1c27dfe6/1/web/1.0#depfd2eb8980

Apple Support
Govi (byodmdm@gmail.com)
2024-01-17 04:07:11

*Thread Reply:* thanks for your sharing and updates... ! i will read those documentation.

Govi (byodmdm@gmail.com)
2024-01-17 04:35:27

*Thread Reply:* Same has been clarified by apple in a forum https://developer.apple.com/forums/thread/735541 comments "On iOS device the only way to get supervision is to use Automated Device Enrollment or Apple Configurator. The supervised state via ADDE comes only on macOS. — Systems Engineer months ago"

Govi (byodmdm@gmail.com)
2024-01-17 04:35:51

*Thread Reply:* Answers found and we can close this topic.

👍 Thomas B.
Jeremy (jeremy@bodokh.com)
2024-01-16 14:10:47

Just noticed this this morning, the new Stolen Device Protection feature will prevent MDM profile installation on iOS device

😵 Damian
👍 Thomas B., JR
Jeremy (jeremy@bodokh.com)
2024-01-16 14:11:03

users will have to disable Stolen Device Protection, enroll and enable the feature again 😭

Jeremy (jeremy@bodokh.com)
2024-01-16 14:11:13

currently in 17.3 beta

Damian (damian_mcmahon@icloud.com)
2024-01-16 18:20:52

I guess it was put in place because you must enter your passcode to install an MDM profile and as only biometrics is possible outside trusted areas when this feature is enabled…still work could be considered a trusted place and most people enroll at work or remotely from their home office 🤔

Jeremy (jeremy@bodokh.com)
2024-01-16 20:55:18

actually the message is: Stolen Device Protection is active. To install this kind of profile, temporarily disable Stolen Device Protection in Settings and try again.

Jeremy (jeremy@bodokh.com)
2024-01-16 20:55:32

does not seems to allow for any “trusted place” exception

Thomas B. (tbosboom@apple.com)
2024-01-17 09:25:54

Can’t hurt to file feedback if this is creating friction for you; although I suppose many will be using Automated device enrolment which would enrol prior to SDP becoming active.

Jeremy (jeremy@bodokh.com)
2024-01-17 09:44:35

Yes, it’s just for BYOD use case this will add another friction

MDM (formacionabox@gmail.com)
2024-01-21 03:32:02

@MDM has joined the channel

Jason Asma (jason.asma@broadcom.com)
2024-01-21 22:20:47

@Jason Asma has joined the channel

Robert Schafer (robert.schafer@subsidium-ms.com)
2024-01-22 06:10:30

@Robert Schafer has joined the channel

Rajesh Daadi (rajesh@codeproof.com)
2024-01-23 14:05:02

Hi team,

Issue: Unable to connect iOS devices to the Xcode tool on a Mac. In general, when we connect an iOS device to a Mac, we receive a prompt on the iOS device screen to Trust this device, but after enrolling the device (fully managed), we do not receive this prompt. Posted in the Apple Forum, I haven't received any response.. https://developer.apple.com/forums/thread/744580

Please can someone check and advise?

Robert Schafer (robert.schafer@subsidium-ms.com)
2024-01-23 17:22:18

*Thread Reply:* There should be an “Allow host pairing” option in your MDM, once enable that should sort the problem out.

Yashwanth (yash@codeproof.com)
2024-01-23 14:12:00

@Yashwanth has joined the channel

Mec (matthew@compassfoundation.io)
2024-01-23 20:34:12

@Mec has joined the channel

Santiago (uemsantiago@gmail.com)
2024-01-24 11:23:45

@Santiago has joined the channel

R.P. (ryan@ryan-phillips.me)
2024-01-25 00:59:26

@R.P. has joined the channel

Vinicius (vinicius@pulsus.mobi)
2024-01-29 18:21:40

@Vinicius has joined the channel

Bart Peeters (bart.peeters@arp.com)
2024-01-30 11:57:08

@Bart Peeters has joined the channel

James Kelly (james@element32.com)
2024-02-02 21:15:56

@James Kelly has joined the channel

Damian (damian_mcmahon@icloud.com)
2024-02-06 16:07:02

Hi folks, anyone know if previewing a website would constitute opening a malicious link as we’ve seen it to be the case. Our security team ran a phishing exercise and a few users did this thinking it wouldn’t trigger an alert/! I didn’t find any MDM restriction that would allow us to block this…

Peter Mohr (pm@conscia.com)
2024-02-06 19:07:33

*Thread Reply:* yes, the device actually opens the link and then renders the preview... To the phising/pen-test team this looks like a user clicked the link

👍 Damian
👍:skin_tone_2: Woody
Damian (damian_mcmahon@icloud.com)
2024-02-07 09:51:53

*Thread Reply:* Yes, this is what I thought 🙂

Barbra Conner (iambac777@gmail.com)
2024-02-07 02:10:59

NOTE: Stolen Device Protection blocks MDM enrollment and must be disabled prior to enrolling. If it is enabled during enrollment you will need to disable it but the device will go through an hour long countdown for it to disable and for enrollment to continue

👍 Rajesh Kumar, Nico Hermeling
Damian (damian_mcmahon@icloud.com)
2024-02-07 13:30:40

If anyone is interested, the following MDM restriction has been documented in 17.4 beta 2 to disallow third party AppStore installation

https://developer.apple.com/documentation/devicemanagement/restrictions

Apple Developer Documentation
👍:skin_tone_2: Woody
👍 Phil Hackett, Steven, Mark Vonk, Matt Dermody
👏 Govi
Woody (eric.woodland@trust.tc)
2024-02-07 13:53:45

*Thread Reply:* Good find!

✅ Jay
Phil Hackett (phil.hackett83@gmail.com)
2024-02-07 18:16:40

*Thread Reply:* Looks like it doesn’t require supervision. Am I reading that right?

Phil Hackett (phil.hackett83@gmail.com)
2024-02-19 15:31:12

*Thread Reply:* Confirmed by Apple - all iOS restrictions for third-party AppStores will require supervision (which is what I expected)

👍:skin_tone_2: Woody
👀 Woody
🫣 Govi
Govi (byodmdm@gmail.com)
2024-03-04 04:36:03

*Thread Reply:* When we can try this restriction profile in our MDM/Apple configurator ?. for NON-Supervised devices we dont have any option to restrict the 3rd party Appstores ?.

Govi (byodmdm@gmail.com)
2024-03-04 04:38:53

*Thread Reply:* Hiding/Blocking those Marketplace App or Bundle id can help for NON-Supervised devices(managed devices) ?.

Govi (byodmdm@gmail.com)
2024-03-04 05:31:09

*Thread Reply:* another nice article i found to block the market place , very nicely written by an MVP : https://www.intuneirl.com/alternative-app-stores-not-on-my-supervised-devices/

Intune - In Real Life
Written by
Somesh Pathak
Filed under
intune, ios, Security
👍:skin_tone_2: Woody
Alex (alwc90@gmail.com)
2024-02-11 10:58:28

@Alex has joined the channel

Andrew C (andrew.clack@cfacorp.com)
2024-02-16 21:07:13

@Andrew C has joined the channel

jafullersr (jafuller@starbucks.com)
2024-02-17 00:41:57

Are there folks here using Apple's shared iPad solution (requires managed Apple IDs, etc)? If so, would you mind sharing your experience?

Ajay Patel (ajay5675@msn.com)
2024-02-17 07:09:06

*Thread Reply:* following - as we have a requirement that may warrant this but just haven’t got round to actually playing with it fully yet

jafullersr (jafuller@starbucks.com)
2024-02-21 16:18:27

*Thread Reply:* We have played with it too, but I'd really like to hear from anyone using it in a production environment. Operationally I think shared iPad adds a ton of overhead.

Ajay Patel (ajay5675@msn.com)
2024-02-21 16:20:25

*Thread Reply:* From what I’ve read I 100% agree and that’s half the reason why I haven’t played with it yet. If it was as simple as Android and doing it with some kind of launcher that overlays on the screen for sign-in/sign-out that would be amazing but it’s the use of managed AppleIDs that I don’t like

jafullersr (jafuller@starbucks.com)
2024-02-21 16:23:24

*Thread Reply:* Also, it doesn't connect the authentication to the device to extensibleSSO. This would be the game-changer we need if it could/would do that.

Phil Hackett (phil.hackett83@gmail.com)
2024-02-23 18:56:24

*Thread Reply:* We use Temporary Sessions for some use cases. But federating ABM is holding us back….

jafullersr (jafuller@starbucks.com)
2024-03-12 17:31:29

*Thread Reply:* What about federation is holding you back?

Joel Prefontaine (joel_prefontaine@outlook.com)
2024-04-14 11:21:55

*Thread Reply:* We are federated and it works but it’s behind the Apple school program , I can’t set timeout Lock Screen and it’s 2 minutes. Also would be good to be able to use a different passcode or something like authenticator app. Some apps also do t support the shared mode at all

ZombieSlayer (msweisberg@outlook.com)
2024-02-29 12:17:42

@ZombieSlayer has joined the channel

Justin Butts (justin.butts777@gmail.com)
2024-02-29 23:28:46

Party People!! I've got some questions about Managed App Configs and how they can be leveraged to automate app-specific logins / sign-ups. Anyone here a M.A.C. wizard?

Daniel Skaaning (daniel_skaaning@hotmail.com)
2024-03-04 09:42:38

Shared iPad and default Domain at login screen Anyone able to make a sample file .mobileconfig for me with this setting in the picture? It should be used with Intune. Thanks in advance.

Justin Butts (justin.butts777@gmail.com)
2024-03-05 18:59:09

anyone seen a management / policy guide for MDM for Vision Pro yet?

Mark Vonk (mark.vonk@dahvo.com)
2024-03-05 19:08:55

*Thread Reply:* If you find GitHub stuff readable, here is a link: https://github.com/apple/device-management/compare/release...seediOS-17.4macOS-14.4

GitHub
Justin Butts (justin.butts777@gmail.com)
2024-03-05 19:21:00

*Thread Reply:* MY MAN thank you @Mark Vonk

Justin Butts (justin.butts777@gmail.com)
2024-03-05 19:21:21

*Thread Reply:* holy lord what a terrible day to have eyes

Thomas B. (tbosboom@apple.com)
2024-04-23 09:31:51

*Thread Reply:* There is also the Apple Platform Deployment Guide section for Vision Pro: https://support.apple.com/en-ca/guide/deployment/dep18daf732d/1/web/1.0

Apple Support
Govi (byodmdm@gmail.com)
2024-04-29 08:40:17

*Thread Reply:* Additionally, JAMF says that Management capabilities are available in Jamf Pro 11.3.1 for Apple Vision Pro devices with visionOS 1.1 . https://learn.jamf.com/en-US/bundle/technical-articles/page/Vision_Pro_Management_with_Jamf_Pro.html .

Justin Butts (justin.butts777@gmail.com)
2024-03-05 18:59:21

all I can find from Apple is marketing stuff

Jay (vita@akut-hr.de)
2024-03-06 09:46:08

has anybody already seen MDM controls in their UEM for disabling alternative app stores for iOS 17.4 users in the EU?

Jeremy (jeremy@bodokh.com)
2024-03-06 10:47:22

we do support it @ Appaloosa.io 🙂

✅ Jay
Almar Diehl (almar.diehl@blaud.com)
2024-03-06 10:58:08

Yes, we do it by installing a custom configuration on devices.

✅ Jay, Woody, Thomas B.
Jay (vita@akut-hr.de)
2024-03-06 12:18:22

*Thread Reply:* did you verify that this works?

Almar Diehl (almar.diehl@blaud.com)
2024-03-06 12:22:08

*Thread Reply:* Well the actual test will be when the first third=party appstore comes available (from what I have heard Mobivention will launch their appstore tomorrow). But when looking at the management profile on my device, going to restrictions, the restriction it there.

✅ Jay
Almar Diehl (almar.diehl@blaud.com)
2024-03-06 10:59:29

See https://www.intuneirl.com/alternative-app-stores-not-on-my-supervised-devices/ for Intune.

Intune - In Real Life
Written by
Somesh Pathak
Filed under
intune, ios, Security
✅ Jay
Arttu (arttu.huhtiniemi@miradore.com)
2024-03-06 12:05:59

Supported from today by Miradore.

Miradore
✅ Jay, Woody
ZombieSlayer (msweisberg@outlook.com)
2024-03-06 13:10:31

VMware has it also. https://kb.vmware.com/s/article/96740

kb.vmware.com
✅ Jay, Damian
YAS (esteem143@gmail.com)
2024-03-06 14:04:52

Microsoft has it on there in-development. https://learn.microsoft.com/en-us/mem/intune/fundamentals/in-development#iosipados

learn.microsoft.com
✅ Jay
Jay (vita@akut-hr.de)
2024-03-06 14:56:43

I looked to Microsofts in development earlier today and totally missed it as I was looking for a big header for this change,

Jay (vita@akut-hr.de)
2024-03-06 14:56:47

thanks for pointing this out

Edwin de Bruin (edwin@debruinonline.net)
2024-03-22 15:40:05

@Edwin de Bruin has joined the channel

Jithendra P (jithuacharya@outlook.com)
2024-04-19 15:39:14

@Jithendra P has joined the channel

Thomas B. (tbosboom@apple.com)
2024-04-23 09:32:52

For those who haven’t seen the beta notes for 17.5, there will be a separate restriction for apps distributed directly from webpages….

👍 Daniel, Mark Vonk
Damian (damian_mcmahon@icloud.com)
2024-04-23 13:59:16

Hi folks, just to let you know that there are a lot of issues with VPN functionality at the moment that will be fixed in iOS 17.5 beta 3 as confirmed by Apple support.

We have to reboot the device each time we push a new profile or sometimes post reboot it can take up to 5 mins for the device to leverage the tunnel.

👀 Thomas B.
Almar Diehl (almar.diehl@blaud.com)
2024-04-24 09:35:14

*Thread Reply:* Hi Damian, are the issues you are seeing in 17.4 or in 17.5 beta?

Damian (damian_mcmahon@icloud.com)
2024-04-24 09:35:43

*Thread Reply:* Currently seeing them on 17.4.1

Almar Diehl (almar.diehl@blaud.com)
2024-04-24 09:36:07

*Thread Reply:* Cool thanks! So are we!

Damian (damian_mcmahon@icloud.com)
2024-04-24 09:37:58

*Thread Reply:* Don’t hesitate to open a case and bolt on to ours: 102274595372

👍 Almar Diehl
Thomas B. (tbosboom@apple.com)
2024-04-25 09:07:30

*Thread Reply:* What would be super, super valueable is to install the latest beta and share feedback into AppleSeed to confirm the fix - sometimes there are multiple issues at play and if the fix isn’t effective for you, sharing that now is probably your best bet for seeing a fix in 17.5.

Damian (damian_mcmahon@icloud.com)
2024-04-26 16:23:04

*Thread Reply:* The issue still isn’t fixed in 17.5 beta 3 so I’m going to share that via Appleseed and the ticket

Damian (damian_mcmahon@icloud.com)
2024-05-22 10:35:49

*Thread Reply:* Just to let you know that all the issues were finally fixed in beta 4 and public 17.5.x also ok

❤️ Thomas B.
Govi (byodmdm@gmail.com)
2024-04-29 08:42:47

please share your expert views about choosing the best solution for BYOD with #Apple #AccountDrivenUserEnrollment (AUE) vs #microsoft_intune WebBased Device Enrollment ! which is the best fit for Users. #apple #microsoft #byod

Jay (vita@akut-hr.de)
2024-05-16 15:33:48

Someone in here who also has to deal with the iOS Slack app not being available for download in China from 1st of June on?

Damian (damian_mcmahon@icloud.com)
2024-05-24 10:56:14

Hi All, could I ask everyone who has a premium support contract with Apple to put pressure on them to fix the issue with mobileSSO for Apple:

Product request reference provided by VMware:

Description

When a certificate credential is specified in the same MDM profile as an SSO Extension, the SSO Extension code is unable to access the certificate which is stored into the Apple keychain. This request is for supporting being able to access a certificate that is declared in the same MDM profile as the SSO extension from the SSO extension code. The reason for accessing the certificate is to be able to make a client-SSL request to a server using the certificate and the certificate's private key. The built-in Kerberos SSO Extension provided by Apple does this in that a PKINIT certificate can be specified in the MDM profile and then the Kerberos SSO extension can be configured to use that certificate. However, a non-Apple developer cannot implement similar functionality because the certificate declared in the MDM profile is stored into an Apple keychain which is not accessible to non-Apple code.

Steps to reproduce the issue:

  1. Create an MDM profile that contains: - SSO Extension of type Credential and a CertificateUUID value in the extension data that references a certificate payload - A certificate declared in either the Credential or SCEP section of the MDM profile
  2. Write an SSO extension and install it and the profile from step 1 into an iOS or iPadOS device. Write code in the extension that references the certificate to make a client-SSL connection to a server. With current iOS support, step 2 is not possible.

One way to provide this support would be to allow a certificate (including a SCEP certificate) that is declared in an MDM profile to be installed into an application-defined keychain security group rather than in the default Apple keychain security group.

Peter Mohr (pm@conscia.com)
2024-05-24 11:39:37

*Thread Reply:* The SSO provider developer could use a SFSafariViewController thing to authenticate against the backend. This allows for CBA

☝️ Thomas B.
jafullersr (jafuller@starbucks.com)
2024-07-02 20:03:40

*Thread Reply:* It would be interesting if they allowed defining the Bundle ID and App Group that could utilize that certificate through an app keychain. What is the priority of this feature request? Do you know?

How you could work around this is to use an MDM SDK within the eSSO app which consumes the certificate payload via the SDK, then stores that certificate in a shared keychain for your App Group. That's assuming that you're building your own eSSO.

Damian (damian_mcmahon@icloud.com)
2024-07-02 20:09:24

*Thread Reply:* I know that they are working on it but don’t know the priority. Have you opened a case to bolt on to this? The more the merrier. Re: eSSO - we’re not building our own but interesting all the same

Kruit (ma.kruit@belastingdienst.nl)
2024-06-04 12:33:24

@Kruit has joined the channel

Nesrin Kalender (kalendernesrin@gmail.com)
2024-06-06 20:53:26

@Nesrin Kalender has joined the channel

Artan Prenaj (artan_p@outlook.com)
2024-06-12 20:52:39

@Artan Prenaj has joined the channel

Dylan (dylanjsatelle@gmail.com)
2024-06-26 19:27:40

@Dylan has joined the channel